cleantalk
Vulnerabilities and Security Researches

Contact Form builder with drag & drop for WordPress – Kali Forms, CVE-2026-1860

CVE, Research URL

CVE-2026-1860

Home page URL

Security reports for Contact Form builder with drag & drop for WordPress – Kali Forms

Application

Contact Form builder with drag & drop for WordPress – Kali Forms

Published on
Feb 18, 2026
Research Description
The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the `get_items_permissions_check()` permission callback on the `/kaliforms/v1/forms/{id}` REST API endpoint only checking for the `edit_posts` capability without verifying that the requesting user has ownership or authorization over the specific form resource. This makes it possible for authenticated attackers, with Contributor-level access and above, to read form configuration data belonging to other users (including administrators) by enumerating form IDs. Exposed data includes form field structures, Google reCAPTCHA secret keys (if configured), email notification templates, and server paths.
Affected versions
max 2.4.9.
Status
vulnerable
Previous vulnerability researches
Conditional Menus (CVE-2023-2654) , Jun 07, 2024
Conditional Menus (CVE-2026-1032) , Apr 14, 2026
New vulnerability
Spectra – WordPress Gutenberg Blocks (CVE-2026-0950) , Apr 15, 2026
Snow Monkey Forms (CVE-2026-1056) , Apr 15, 2026
Timeline Event History (CVE-2026-1127) , Apr 15, 2026
Beaver Builder – WordPress Page Builder (CVE-2026-1231) , Apr 15, 2026
CubeWP – All-in-One Dynamic Content Framework (CVE-2025-6461) , Apr 15, 2026