CVE-2026-3584

CRITICAL EXPLOITED NUCLEI

Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process

Title source: cna

Description

The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.

Exploits (1)

nomisec WORKING POC
by Yucaerin · remote
https://github.com/Yucaerin/CVE-2026-3584

Nuclei Templates (1)

WordPress Kali Forms <= 2.4.9 - Remote Code Execution
CRITICALVERIFIEDby pussycat0x
Shodan: http.component:"WordPress" http.html:"kali-forms"
FOFA: body="kali-forms"

References (3)

Scores

CVSS v3 9.8
EPSS 0.2078
EPSS Percentile 95.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2026-03-20
CWE
CWE-94
Status published
Products (1)
wpchill/Kali Forms — Contact Form & Drag-and-Drop Builder < 2.4.9
Published Mar 20, 2026
Tracked Since Mar 21, 2026