Stored Cross-Site Scripting Vulnerability in Kali Forms Plugin for WordPress
CVE-2026-9107

6.4MEDIUM

What is CVE-2026-9107?

The Kali Forms plugin allows authenticated users with contributor-level access and above to exploit a stored cross-site scripting vulnerability. This occurs through the unsanitized 'meta[kaliforms_field_components]' parameter, which can allow attackers to inject arbitrary web scripts into pages. These scripts will run when other users access the affected pages, potentially leading to data theft or unauthorized actions executed in the context of the affected user.

Affected Version(s)

Kali Forms β€” Contact Form & Drag-and-Drop Builder 0 <= 2.4.13

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Osvaldo Noe Gonzalez Del Rio (Os)
.