Platform
wordpress
Component
kali-forms
Fixed in
2.5.4
CVE-2026-3584 is a critical Remote Code Execution (RCE) vulnerability discovered in the Kali Forms WordPress plugin. This flaw allows unauthenticated attackers to execute arbitrary code on the server. The vulnerability affects versions 0.0.0 through 2.4.9, and a patch is available in version 2.4.10.
The impact of this vulnerability is severe. An unauthenticated attacker can exploit this flaw to gain complete control over the WordPress server hosting the Kali Forms plugin. This could lead to data breaches, website defacement, malware installation, and further compromise of the entire network. The ability to execute arbitrary code bypasses standard WordPress security measures, making this a high-priority risk. The vulnerability stems from the insecure handling of user-supplied data within the 'formprocess' function, specifically the 'preparepostdata' function's direct mapping of keys to internal storage and subsequent use of 'calluser_func' on these values.
CVE-2026-3584 was publicly disclosed on 2026-03-20. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the critical severity of the vulnerability make it a likely target. Public proof-of-concept (POC) code is expected to emerge shortly, increasing the risk of widespread exploitation. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.29% (52% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Kali Forms plugin to version 2.4.10 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the Kali Forms plugin. As a secondary measure, implement a Web Application Firewall (WAF) rule to block requests containing suspicious payloads targeting the 'form_process' endpoint. Thoroughly review and sanitize all user input within the plugin's code to prevent similar vulnerabilities in the future. After upgrading, confirm the fix by attempting to submit a form with a malicious payload designed to trigger the RCE vulnerability; it should be rejected.
Update to version 2.4.10, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3584 is a critical Remote Code Execution vulnerability affecting Kali Forms WordPress plugins versions 0.0.0–2.4.9. It allows attackers to execute arbitrary code on the server.
If you are using Kali Forms version 2.4.9 or earlier, you are affected by this vulnerability. Upgrade to version 2.4.10 or later immediately.
The fix is to upgrade the Kali Forms plugin to version 2.4.10 or later. If upgrading is not possible, temporarily disable the plugin.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and ease of exploitation make it a likely target.
Refer to the Kali Forms official website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.