Vulnerabilities and security researches forkali-forms kali-forms
Direction: descendingContact Form builder with drag & drop for WordPress – Kali Forms # CVE-2026-1860
- CVE, Research URL
- Home page URL
-
Security reports for Contact Form builder with drag & drop for WordPress – Kali Forms
- Date
- Feb 18, 2026
- Research Description
- The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the `get_items_permissions_check()` permission callback on the `/kaliforms/v1/forms/{id}` REST API endpoint only checking for the `edit_posts` capability without verifying that the requesting user has ownership or authorization over the specific form resource. This makes it possible for authenticated attackers, with Contributor-level access and above, to read form configuration data belonging to other users (including administrators) by enumerating form IDs. Exposed data includes form field structures, Google reCAPTCHA secret keys (if configured), email notification templates, and server paths.
- Affected versions
-
max 2.4.9.
- Status
-
vulnerable
Contact Form builder with drag & drop for WordPress – Kali Forms # CVE-2026-3584
- CVE, Research URL
- Home page URL
-
Security reports for Contact Form builder with drag & drop for WordPress – Kali Forms
- Date
- Mar 21, 2026
- Research Description
- The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.
- Affected versions
-
max 2.4.10.
- Status
-
vulnerable
Contact Form builder with drag & drop for WordPress – Kali Forms # CVE-2025-3201
- CVE, Research URL
- Home page URL
-
Security reports for Contact Form builder with drag & drop for WordPress – Kali Forms
- Date
- May 16, 2025
- Research Description
- The Contact Form builder with drag & drop for WordPress WordPress plugin before 2.4.3 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting attacks.
- Affected versions
-
max 2.4.3.
- Status
-
vulnerable
Contact Form builder with drag & drop for WordPress – Kali Forms # CVE-2023-46083
- CVE, Research URL
- Home page URL
-
Security reports for Contact Form builder with drag & drop for WordPress – Kali Forms
- Date
- Jan 02, 2025
- Research Description
- Missing Authorization vulnerability in Kali Forms Contact Form builder with drag & drop - Kali Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form builder with drag & drop - Kali Forms: from n/a through 2.3.27.
- Affected versions
-
max 2.3.28.
- Status
-
vulnerable
Contact Form builder with drag & drop for WordPress – Kali Forms # CVE-2023-45275
- CVE, Research URL
- Home page URL
-
Security reports for Contact Form builder with drag & drop for WordPress – Kali Forms
- Date
- Jan 02, 2025
- Research Description
- Missing Authorization vulnerability in Kali Forms Contact Form builder with drag & drop - Kali Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form builder with drag & drop - Kali Forms: from n/a through 2.3.28.
- Affected versions
-
max 2.3.29.
- Status
-
vulnerable
Contact Form builder with drag & drop for WordPress – Kali Forms # df632be42db45b1b9c83fc4e7a3345d79bb757ff
- CVE, Research URL
- Home page URL
-
Security reports for Contact Form builder with drag & drop for WordPress – Kali Forms
- Date
- Aug 21, 2020
- Research Description
- Contact Form builder with drag & drop for WordPress – Kali Forms [kali-forms] < 2.1.2 WordPress Contact Form builder with drag & drop plugin <= 2.1.1 - Unauthenticated Arbitrary Post Deletion vulnerability Unauthenticated Arbitrary Post Deletion vulnerability discovered by NinTechNet in WordPress Contact Form builder with drag & drop plugin (versions <= 2.1.1).
- Affected versions
-
max 2.1.2.
- Status
-
vulnerable
Contact Form builder with drag & drop for WordPress – Kali Forms # CVE-2020-36717
- CVE, Research URL
- Home page URL
-
Security reports for Contact Form builder with drag & drop for WordPress – Kali Forms
- Date
- Jun 07, 2023
- Research Description
- The Kali Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.1. This is due to incorrect nonce handling throughout the plugin's function. This makes it possible for unauthenticated attackers to access the plugin's administrative functions via forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
max 2.1.2.
- Status
-
vulnerable
Contact Form builder with drag & drop for WordPress – Kali Forms # CVE-2024-1217
- CVE, Research URL
- Home page URL
-
Security reports for Contact Form builder with drag & drop for WordPress – Kali Forms
- Date
- Feb 29, 2024
- Research Description
- The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the await_plugin_deactivation function in all versions up to, and including, 2.3.41. This makes it possible for authenticated attackers, with subscriber access or higher, to deactivate any active plugins.
- Affected versions
-
max 2.3.42.
- Status
-
vulnerable
Contact Form builder with drag & drop for WordPress – Kali Forms # CVE-2020-36712
- CVE, Research URL
- Home page URL
-
Security reports for Contact Form builder with drag & drop for WordPress – Kali Forms
- Date
- Jun 07, 2023
- Research Description
- The Kali Forms plugin for WordPress is vulnerable to Unauthenticated Arbitrary Post Deletion in versions up to, and including, 2.1.1. This is due to the kaliforms_form_delete_uploaded_file function lacking any privilege or user protections. This makes it possible for unauthenticated attackers to delete any site post or page with the id parameter.
- Affected versions
-
max 2.1.2.
- Status
-
vulnerable
Contact Form builder with drag & drop for WordPress – Kali Forms # CVE-2020-36720
- CVE, Research URL
- Home page URL
-
Security reports for Contact Form builder with drag & drop for WordPress – Kali Forms
- Date
- Jun 07, 2023
- Research Description
- The Kali Forms plugin for WordPress is vulnerable to Authenticated Options Change in versions up to, and including, 2.1.1. This is due to the update_option lacking proper authentication checks. This makes it possible for any authenticated attacker to change (or delete) the plugin's settings.
- Affected versions
-
max 2.1.2.
- Status
-
vulnerable
Contact Form builder with drag & drop for WordPress – Kali Forms # CVE-2024-22305
- CVE, Research URL
- Home page URL
-
Security reports for Contact Form builder with drag & drop for WordPress – Kali Forms
- Date
- Jan 31, 2024
- Research Description
- Authorization Bypass Through User-Controlled Key vulnerability in ali Forms Contact Form builder with drag & drop for WordPress – Kali Forms.This issue affects Contact Form builder with drag & drop for WordPress – Kali Forms: from n/a through 2.3.36.
- Affected versions
-
max 2.3.37.
- Status
-
vulnerable
Contact Form builder with drag & drop for WordPress – Kali Forms # CVE-2024-1218
- CVE, Research URL
- Home page URL
-
Security reports for Contact Form builder with drag & drop for WordPress – Kali Forms
- Date
- Feb 29, 2024
- Research Description
- The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized access and modification of data via API due to an inconsistent capability check on several REST endpoints in all versions up to, and including, 2.3.41. This makes it possible for authenticated attackers, with contributor access and higher, to obtain access to or modify forms or entries.
- Affected versions
-
max 2.3.42.
- Status
-
vulnerable