Critical Kali Forms WordPress Plugin Flaw Under Active Exploitation
Attackers are actively exploiting CVE-2026-3584, a critical unauthenticated Remote Code Execution vulnerability in the Kali Forms WordPress plugin, with over 312,000 blocked exploit attempts.
Attackers are actively exploiting a critical unauthenticated Remote Code Execution (RCE) vulnerability in the Kali Forms WordPress plugin, according to a disclosure from Wordfence. The flaw, tracked as CVE-2026-3584 and carrying a CVSS score of 9.8, affects all versions of the plugin up to and including 2.4.9. Kali Forms is a drag-and-drop form builder with more than 10,000 active installations, making it a significant target for mass exploitation campaigns.
The vulnerability resides in the plugin's `form_process` function, specifically within the `_save_data()` method of the `Form_Processor` class. The root cause is a failure to sanitize user-supplied keys before they are stored in an internal array called `placeholdered_data`. This array is intended to hold placeholder values such as `{entryCounter}` or `{thisPermalink}`, which are later passed directly to PHP's `call_user_func()` function. Because an attacker can overwrite these placeholders with arbitrary strings, they can cause the server to execute any PHP function that accepts a single integer argument.
Wordfence researchers demonstrated a practical exploit path to full site compromise using this technique. By setting the `{entryCounter}` placeholder to `wp_set_auth_cookie` and submitting a `formId` of `1`, the plugin executes `wp_set_auth_cookie(1)`. Since user ID 1 is typically the default WordPress administrator account, this call generates a valid authentication cookie for the admin user. The attacker can then use that cookie to log in as an administrator, navigate to the theme editor, and inject malicious PHP code into the site's `functions.php` file, achieving persistent backdoor access.
The vendor released a patched version, 2.4.10, on March 20, 2026 — the same day Wordfence records show that attackers began exploiting the vulnerability in the wild. Wordfence Premium, Care, and Response users received a firewall rule blocking exploit attempts on March 5, 2026, while free-tier users were protected after a 30-day delay on April 4, 2026. As of the disclosure date, the Wordfence firewall has blocked over 312,200 exploit attempts targeting this vulnerability, indicating a high volume of active scanning and exploitation.
Wordfence urges all sites running Kali Forms to update to update to version 2.4.10 immediately. The vulnerability was discovered through the Wordfence Bug Bounty Program, with researcher ISMAILSHADOW receiving a $2,145.00 bounty for the report. This incident highlights the ongoing risk posed by WordPress plugins that fail to properly validate user input before using it in dangerous PHP functions like `call_user_func`, a pattern that has led to numerous critical RCE vulnerabilities in the WordPress ecosystem.