Remote Code Execution Vulnerability in Kali Forms Plugin for WordPress

CVE-2026-3584

What is CVE-2026-3584?

CVE-2026-3584 is a critical vulnerability found in the Kali Forms plugin for WordPress, which is widely used by web developers to create forms for websites. This vulnerability allows unauthenticated attackers to execute arbitrary code on the server due to flaws in the 'form_process' function and the related 'prepare_post_data' function. The issue arises from the way user-supplied data is handled, specifically its direct mapping into internal storage that is later used in a way that can lead to code execution using 'call_user_func'. Organizations utilizing this plugin could face substantial risks, as an attacker could exploit this vulnerability to gain unauthorized access to server resources, potentially leading to data breaches or complete system compromise.

Potential impact of CVE-2026-3584

1. Remote Code Execution Risk: The vulnerability allows for remote code execution by unauthenticated attackers, which means that a malicious individual could run arbitrary code on the server where the WordPress site is hosted, leading to system takeover.

2. Data Breaches: If exploited, this vulnerability may facilitate unauthorized access to sensitive user data stored on the affected WordPress site, potentially resulting in serious data breaches and loss of confidential information.

3. Widespread Vulnerability: Given the popularity of the Kali Forms plugin within the WordPress ecosystem, and the fact that all versions up to 2.4.9 are affected, many sites may remain vulnerable, making them attractive targets for cybercriminals aiming to exploit this flaw.

References