Stored Cross-Site Scripting Vulnerability in Kali Forms Plugin for WordPress
CVE-2026-9107
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 1 July 2026
What is CVE-2026-9107?
The Kali Forms plugin allows authenticated users with contributor-level access and above to exploit a stored cross-site scripting vulnerability. This occurs through the unsanitized 'meta[kaliforms_field_components]' parameter, which can allow attackers to inject arbitrary web scripts into pages. These scripts will run when other users access the affected pages, potentially leading to data theft or unauthorized actions executed in the context of the affected user.
Affected Version(s)
Kali Forms β Contact Form & Drag-and-Drop Builder 0 <= 2.4.13