CVE-2026-3584

CRITICAL EXPLOITED NUCLEI

Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process

Title source: cna

Exploitation Summary

CVE-2026-3584 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Yucaerin. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional exploit for CVE-2026-3584, targeting WordPress Kali Forms <= 2.4.9. It includes a detailed technical analysis and a mass scanner script that automates the exploitation of an unauthenticated RCE vulnerability via the `kaliforms_form_process` AJAX endpoint.

Description

The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.

Exploits (1)

nomisec WORKING POC

by Yucaerin · remote

https://github.com/Yucaerin/CVE-2026-3584

View Code ZIP pw:eip

The repository contains a functional exploit for CVE-2026-3584, targeting WordPress Kali Forms <= 2.4.9. It includes a detailed technical analysis and a mass scanner script that automates the exploitation of an unauthenticated RCE vulnerability via the `kaliforms_form_process` AJAX endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress Kali Forms <= 2.4.9

No auth needed

Prerequisites: WordPress site with Kali Forms plugin <= 2.4.9 installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 09, 2026 Full analysis →

Nuclei Templates (1)

WordPress Kali Forms <= 2.4.9 - Remote Code Execution

CRITICALVERIFIEDby pussycat0x

Shodan: http.component:"WordPress" http.html:"kali-forms"

FOFA: body="kali-forms"

References (3)

Core 3

Core References

https://www.wordfence.com/threat-intel/vulnerabilities/id/6cecd06f-c064-49fd-b3fa-505a5a0c2e0b?source=cve

https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.9/Inc/Frontend/class-form-processor.php#L697

https://plugins.trac.wordpress.org/changeset/3487024/kali-forms

Scores

CVSS v3 9.8

EPSS 0.2873

EPSS Percentile 96.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2026-03-20

CWE

CWE-94

Status published

Products (1)

wpchill/Kali Forms — Contact Form & Drag-and-Drop Builder < 2.4.9

Published Mar 20, 2026

Tracked Since Mar 21, 2026