Security Alert Summary
The Kali Forms plugin for WordPress contains a remote code execution vulnerability in all versions up to, and including, 2.4.9. The flaw exists in the form_process function and is caused by prepare_post_data mapping user-supplied keys into internal placeholder storage, combined with the use of call_user_func on those placeholder values. An unauthenticated attacker can exploit this to execute code on the server.
CVE Details
- CVE ID: CVE-2026-3584
- Affected component: Kali Forms plugin for WordPress
- Affected versions: All versions up to, and including, 2.4.9
- Published: March 20, 2026 10:16:29 PM
- Last modified: March 20, 2026 10:16:29 PM
- CVSS v3.1: Base Score 9.8, Severity CRITICAL, Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - Authentication / Privileges / User Interaction: Authentication required: None; Privileges required: None; User interaction: None
- Primary impact: Confidentiality: High; Integrity: High; Availability: High
- Weakness (CWE): CWE-94 (Improper Control of Generation of Code)
Technical Details
The vulnerability is a remote code execution (RCE) issue introduced by how form input is processed. The plugin’s prepare_post_data function maps user-supplied keys directly into internal placeholder storage. Those placeholder values are later passed to call_user_func inside the form_process function without sufficient validation or sanitization of the callable content. Because an attacker can supply values that are treated as callables, this allows execution of arbitrary code on the server in the context of the web application.
The described behavior explains why unauthenticated attackers are able to trigger code execution: there are no required privileges or user interaction barriers documented in the CVE data, and the flow depends on user-controllable input reaching a function-invocation site.
How This Could Impact Your Website
In a typical small business WordPress site, multiple roles interact with the site: the site owner, internal staff who manage content, and external contractors or contributors who submit forms. If the site uses an affected version of Kali Forms, an unauthenticated attacker could exploit the vulnerability to run code on the server.
Practical consequences may include exposure of stored data (for example, internal user email addresses), modification or deletion of content, or installation of backdoors that increase the risk of targeted phishing and social engineering against staff and contractors. These impacts relate directly to the CVSS confidentiality, integrity, and availability ratings.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributors and other low-privilege accounts that can submit content.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and server logs for unusual behavior, such as unexpected PHP execution or new files.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
