VYPR

Kali Forms

by Kaliforms

Source repositories

CVEs (6)

  • CVE-2026-3584CriMar 20, 2026
    risk 0.59cvss 9.8epss 0.07

    The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined…

  • CVE-2020-36717HigJun 7, 2023
    risk 0.57cvss 8.8epss 0.00

    The Kali Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.1. This is due to incorrect nonce handling throughout the plugin's function. This makes it possible for unauthenticated attackers to access the plugin's…

  • CVE-2020-36712HigJun 7, 2023
    risk 0.56cvss 8.6epss 0.01

    The Kali Forms plugin for WordPress is vulnerable to Unauthenticated Arbitrary Post Deletion in versions up to, and including, 2.1.1. This is due to the kaliforms_form_delete_uploaded_file function lacking any privilege or user protections. This makes it possible for…

  • CVE-2024-22305HigJan 31, 2024
    risk 0.49cvss 7.5epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in ali Forms Contact Form builder with drag & drop for WordPress – Kali Forms.This issue affects Contact Form builder with drag & drop for WordPress – Kali Forms: from n/a through 2.3.36.

  • CVE-2020-36720HigJun 7, 2023
    risk 0.46cvss 7.1epss 0.01

    The Kali Forms plugin for WordPress is vulnerable to Authenticated Options Change in versions up to, and including, 2.1.1. This is due to the update_option lacking proper authentication checks. This makes it possible for any authenticated attacker to change (or delete) the…

  • CVE-2026-1860MedFeb 18, 2026
    risk 0.21cvss 4.3epss 0.00

    The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the `get_items_permissions_check()` permission callback on the `/kaliforms/v1/forms/{id}` REST API endpoint only checking for the…