Security Alert Summary
The Kali Forms – Contact Form & Drag-and-Drop Builder plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the meta[kaliforms_field_components] parameter. Insufficient input sanitization and output escaping in affected versions up to and including 2.4.13 allow authenticated users with contributor-level access and above to inject scripts that execute when an injected page is viewed.
CVE Details
- CVE ID: CVE-2026-9107
- Affected plugin or component: Kali Forms – Contact Form & Drag-and-Drop Builder
- Affected versions: All versions up to and including 2.4.13
- Published: July 1, 2026 5:16:25 AM UTC
- Last modified: July 1, 2026 1:56:17 PM UTC
- CVSS v3.1: Base Score 6.4, Severity MEDIUM, Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N - Authentication / Privileges / User interaction: Requires an authenticated user; privileges required correspond to contributor-level access or higher (CVSS
PR:L); user interaction not required (UI:N). - Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
- CWE / weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation (Cross-site Scripting))
Technical Details
The vulnerability is a stored XSS issue that arises from insufficient input sanitization and output escaping for the meta[kaliforms_field_components] parameter. An authenticated attacker with contributor-level access or higher can submit payloads that are stored by the plugin and rendered later when the affected page is displayed.
References in the reported data point to backend code paths and builder components involved in handling form components (for example, Inc/Backend/Posts/class-forms.php and resources/assets/js/forms/components/Builder/BuilderFormField.jsx). The lack of appropriate sanitization and escaping in these code paths is the root cause identified in the report.
When a page containing an injected payload is viewed, the browser executes the attacker-supplied script in the context of the site. This can allow actions such as DOM manipulation or disclosure of information available to the page context. The impact is limited to actions achievable via script execution in the page context and does not, based on the provided data, indicate effects beyond confidentiality and integrity impacts described by the CVSS metrics.
How This Could Impact Your Website
Consider a site with an owner, internal staff who publish content, and an external contractor who contributes posts. If an attacker who has contributor-level access injects a malicious script into a form component, that script could run when internal staff or the owner view the page. Practical consequences include potential exposure of information visible to the page (for example, content or user-visible data), and an increased risk of targeted phishing or social engineering if attacker-controlled scripts harvest visible email addresses or personalize deceptive content.
This vulnerability does not necessarily allow full site takeover based on the provided information, but it does raise the risk of credential or session token exposure in contexts where scripts can access such data. If you\’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor accounts.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins and themes.
- Monitor site activity and logs for unusual behavior, especially changes to posts, forms, or stored component data.
If you\’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.10/Inc/Backend/Posts/class-forms.php#L381
- https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.10/Inc/Backend/Posts/class-forms.php#L391
- https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.10/resources/assets/js/forms/components/Builder/BuilderFormField.jsx#L332
- https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.10/resources/assets/js/forms/components/Builder/BuilderFormField.jsx#L96
- https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.11/Inc/Backend/Posts/class-forms.php#L381
- https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.11/Inc/Backend/Posts/class-forms.php#L391
- https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.11/resources/assets/js/forms/components/Builder/BuilderFormField.jsx#L332
- https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.11/resources/assets/js/forms/components/Builder/BuilderFormField.jsx#L96
- https://plugins.trac.wordpress.org/changeset?old_path=%2Fkali-forms/tags/2.4.13&new_path=%2Fkali-forms/tags/2.4.14
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3d81e41d-e62c-49d7-bba5-6a2a0a586c84?source=cve