Lucene search
+L

120 matches found

Nuclei
Nuclei
added 9 hours ago18 views

WordPress Kali Forms <= 2.4.9 - Remote Code Execution

Kali Forms WordPress plugin = 2.4.9 contains a remote code execution caused by unsafe user input handling in 'formprocess' and 'preparepostdata' functions, letting unauthenticated attackers execute code on the server, exploit requires no authentication. id: CVE-2026-3584 info: name: WordPress Kal...

9.8CVSS6.3AI score0.07239EPSS
Exploits2References2
EUVD
EUVD
added 11 hours ago5 views

EUVD-2026-45130

The Kali Forms — Contact Form & Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'digitalSignature' Field Value in all versions up to, and including, 2.4.18 due to insufficient input sanitization and output escaping. This makes it possible for...

7.2CVSS6.2AI score
Exploits0References8
CVE
CVE
added 11 hours ago11 views

CVE-2026-15395

The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin is affected by CVE-2026-15395: Stored XSS via the digitalSignature field in all versions up to and including 2.4.18, caused by insufficient input sanitization and output escaping. The vulnerability allows unauthenticated attac...

7.2CVSS6.2AI score
Exploits0References8
Cvelist
Cvelist
added 11 hours ago7 views

CVE-2026-15395 Kali Forms <= 2.4.18 - Unauthenticated Stored Cross-Site Scripting via 'digitalSignature' Field Value

The Kali Forms — Contact Form & Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'digitalSignature' Field Value in all versions up to, and including, 2.4.18 due to insufficient input sanitization and output escaping. This makes it possible for...

7.2CVSS
Exploits0References8
NVD
NVD
added 2 days ago6 views

CVE-2026-11580

The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not perform a per-object capability check in its post-duplication AJAX action, allowing users with Contributor-level access or above to duplicate any post regardless of owner, post type, or status into a...

5.5CVSS0.00189EPSS
Exploits0References1
NVD
NVD
added 2 days ago5 views

CVE-2026-11579

The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not verify that a file upload is made against an existing form configured with a file-upload field, accepting uploads regardless of whether any such form exists, which allows unauthenticated users to upload...

5.3CVSS0.00237EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2 days ago4 views

CVE-2026-11580

The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not perform a per-object capability check in its post-duplication AJAX action, allowing users with Contributor-level access or above to duplicate any post regardless of owner, post type, or status into a...

6.1AI score0.00189EPSS
Exploits0References1
EUVD
EUVD
added 2 days ago7 views

EUVD-2026-44593

The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not perform a per-object capability check in its post-duplication AJAX action, allowing users with Contributor-level access or above to duplicate any post regardless of owner, post type, or status into a...

5.5CVSS6.1AI score0.00189EPSS
Exploits0References1
CVE
CVE
added 2 days ago11 views

CVE-2026-11580

The CVE covers Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin prior to 2.4.17. The root cause is a missing per-object capability check in the post-duplication AJAX action, enabling users with Contributor-level access or higher to duplicate any post (regardless of owner, post t...

5.5CVSS6.1AI score0.00189EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago37 views

CVE-2026-11580 Kali Forms < 2.4.17 - Contributor+ Arbitrary Post Metadata Disclosure via IDOR

The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not perform a per-object capability check in its post-duplication AJAX action, allowing users with Contributor-level access or above to duplicate any post regardless of owner, post type, or status into a...

0.00189EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2 days ago3 views

CVE-2026-11579

The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not verify that a file upload is made against an existing form configured with a file-upload field, accepting uploads regardless of whether any such form exists, which allows unauthenticated users to upload...

6.2AI score0.00237EPSS
Exploits0References1
CVE
CVE
added 2 days ago9 views

CVE-2026-11579

CVE-2026-11579 affects the Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin up to version 2.4.17. The issue arises because the plugin does not verify that a file upload is tied to an existing form with a file-upload field, allowing unauthenticated users to upload files to the Wo...

5.3CVSS6.2AI score0.00237EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago41 views

CVE-2026-11579 Kali Forms < 2.4.17 - Unauthenticated Media Upload

The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not verify that a file upload is made against an existing form configured with a file-upload field, accepting uploads regardless of whether any such form exists, which allows unauthenticated users to upload...

0.00237EPSS
Exploits0References1
NVD
NVD
added 2026/07/01 5:16 a.m.11 views

CVE-2026-9107

The Kali Forms — Contact Form & Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'metakaliformsfieldcomponents' parameter in all versions up to, and including, 2.4.13 due to insufficient input sanitization and output escaping. This makes it possible...

6.4CVSS0.00241EPSS
Exploits0References10
CVE
CVE
added 2026/07/01 3:43 a.m.19 views

CVE-2026-9107

The CVE-2026-9107 entry concerns the Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin. A Stored Cross-Site Scripting vulnerability exists via the meta[kaliforms_field_components] parameter in all versions up to 2.4.13, caused by insufficient input sanitization and output escapin...

6.4CVSS5.9AI score0.00241EPSS
Exploits0References10
Cvelist
Cvelist
added 2026/07/01 3:43 a.m.38 views

CVE-2026-9107 Kali Forms <= 2.4.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'kaliforms_field_components' Parameter

The Kali Forms — Contact Form & Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'metakaliformsfieldcomponents' parameter in all versions up to, and including, 2.4.13 due to insufficient input sanitization and output escaping. This makes it possible...

6.4CVSS0.00241EPSS
Exploits0References10
EUVD
EUVD
added 2026/07/01 3:43 a.m.9 views

EUVD-2026-40891

The Kali Forms — Contact Form & Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'metakaliformsfieldcomponents' parameter in all versions up to, and including, 2.4.13 due to insufficient input sanitization and output escaping. This makes it possible...

6.4CVSS5.9AI score0.00241EPSS
Exploits0References10
NVD
NVD
added 2026/06/30 7:16 a.m.10 views

CVE-2026-11581

The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13 does not sanitise a form field's caption before outputting it as a column header on the administrator form-entries screen, allowing users with Contributor-level access or above to store JavaScript that executes i...

5.9CVSS0.0014EPSS
Exploits0References1
CVE
CVE
added 2026/06/30 6:0 a.m.13 views

CVE-2026-11581

The CVE-2026-11581 entry concerns the Kali Forms — Contact Form & Drag-and-Drop Builder for WordPress, vulnerable before version 2.4.13. The form captions (columns on the form-entries admin screen) are not sanitized, allowing stored XSS where a user with Contributor-level access (or higher) can i...

5.9CVSS5.8AI score0.0014EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/30 6:0 a.m.9 views

EUVD-2026-40261

The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13 does not sanitise a form field's caption before outputting it as a column header on the administrator form-entries screen, allowing users with Contributor-level access or above to store JavaScript that executes i...

5.9CVSS5.8AI score0.0014EPSS
Exploits0References1
Rows per page
Query Builder