Unauthorized Post Duplication in Kali Forms WordPress Plugin
CVE-2026-11580

Currently unrated

Key Information:

Vendor

WordPress

Vendor
CVE Published:
15 July 2026

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

What is CVE-2026-11580?

The Kali Forms β€” Contact Form & Drag-and-Drop Builder WordPress plugin prior to version 2.4.17 is susceptible to an insufficient access control vulnerability. This flaw allows users with Contributor-level access or higher to duplicate any post, circumventing ownership restrictions. As a result, these unauthorized users can create published posts containing sensitive metadata from other users' private posts, potentially exposing confidential information stored within the plugin.

Affected Version(s)

Kali Forms β€” Contact Form & Drag-and-Drop Builder 0 < 2.4.17

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muni Nitish Kumar Yaddala
WPScan
.