Security Flaw in Kali Forms Plugin for WordPress Affects User Data Protection
CVE-2026-11581

Currently unrated

Key Information:

Vendor: WordPress
Status: Kali Forms — Contact Form & Drag-and-drop Builder
Vendor: CVE Published:; 30 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-11581?

The Kali Forms plugin for WordPress, prior to version 2.4.13, is susceptible to an improper input validation vulnerability. It fails to properly sanitize the caption of form fields before displaying them as column headers on the administrator's form-entries interface. This oversight permits users with Contributor-level privileges or higher to inject JavaScript code that executes within the administrator's session, posing significant security risks. Additionally, a lack of capability checks in the post-duplication feature enables these Contributors to publish forms containing this malicious code, which could also be rendered by an administrator, further amplifying the threat.

Affected Version(s)

Kali Forms — Contact Form & Drag-and-Drop Builder 0 < 2.4.13

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-11581 - Proof of Concept

References

https://wpscan.com/vulnerability/a9282260-a0f2-4fe2-9acf-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 30, 2026
👾
Exploit known to exist
Jun 30, 2026
Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 8, 2026

Credit

she11f

WPScan

CVE-2026-11581 Data

JSON