WordPress plugins play a vital role in extending the platform’s capabilities, yet they are frequently a weak point in site security. One such case is the Kali Forms plugin, a drag-and-drop form builder currently active on over 30,000 installations. A critical vulnerability, now assigned CVE-2025-3201, was discovered in the plugin that permits users with only Contributor-level privileges to inject and store malicious JavaScript. This XSS payload can be used to hijack administrator sessions, ultimately leading to the creation of rogue admin accounts and full site compromise.
| CVE | CVE-2025-3201 |
| Kali Forms < 2.4.3 | |
| Critical | High |
| All Time | 1 386 783 |
| Active installations | 30 000+ |
| Publicly Published | May 30, 2025 |
| Last Updated | May 30, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3201 https://wpscan.com/vulnerability/4248289f-36d2-41c5-baf6-bb2c630482ef/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| March 28, 2025 | Plugin testing and vulnerability detection in the Contact Form builder with drag & drop for WordPress – Kali Forms have been completed |
| March 28, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| May 30, 2025 | Registered CVE-2025-3201 |
Discovery of the Vulnerability
During routine plugin testing, the vulnerability was discovered in how user-supplied data is handled in the form builder. Specifically, the plugin fails to properly sanitize option labels added within the Dropdown field component. This allows a Contributor-level user—who by default should have minimal access—to insert JavaScript event handlers into form options that are later rendered without output escaping. The fact that this input can be stored and executed on the frontend from a simple post or page makes it particularly dangerous and easy to trigger.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) remains one of the most impactful vulnerabilities in the WordPress plugin ecosystem. Unlike Reflected XSS, Stored XSS persists in the database and is served to all users visiting the affected page or interface. Attackers often use this vector to execute JavaScript that can perform administrative actions through session hijacking or API abuse. A well-crafted payload can silently create new administrator users, change plugin settings, or inject persistent malware into the site — especially when paired with roles that lack unfiltered_html, such as Contributors.
Exploiting the XSS Vulnerability
To exploit CVE-2025-3201, an attacker with contributor+ privileges:
POC:
1) Create a new Form with "Dropdown" block 2) Add here new "Choice" in "Options" settings with following payload: 123" onclick=alert(1)// 3) To trigger XSS you should put shortcode of new Form to any Post/Page and click on option.____
This vulnerability carries severe real-world implications. A Contributor, often considered a low-risk role, can leverage this flaw to escalate privileges without needing any approval from higher-level users. Once the script is executed in an admin’s session, it can issue AJAX or REST calls to perform privileged actions — from installing plugins to creating new administrator accounts. This effectively breaks WordPress’s access control model, giving attackers full control of the site with minimal initial privileges.
Recommendations for Improved Security
To mitigate this and similar vulnerabilities:
- Sanitize all user inputs, especially those rendered in dynamic interfaces like forms.
- Escape output consistently using functions such as
esc_html(),esc_attr(), orwp_kses()based on context. - Limit frontend script execution by disallowing inline events like
onclick,onmouseover, etc., in form labels or choices. - Reassess Contributor permissions in your site’s security model — restrict form creation and shortcode usage for low-privilege users.
- Update immediately to the patched version when available, and monitor access logs for any unusual behavior.
To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-3201, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.