cleantalk
Vulnerabilities and Security Researches

Contact Form builder with drag & drop for WordPress – Kali Forms, CVE-2026-1860

CVE, Research URL

CVE-2026-1860

Home page URL

Security reports for Contact Form builder with drag & drop for WordPress – Kali Forms

Application

Contact Form builder with drag & drop for WordPress – Kali Forms

Published on
Feb 18, 2026
Research Description
The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the `get_items_permissions_check()` permission callback on the `/kaliforms/v1/forms/{id}` REST API endpoint only checking for the `edit_posts` capability without verifying that the requesting user has ownership or authorization over the specific form resource. This makes it possible for authenticated attackers, with Contributor-level access and above, to read form configuration data belonging to other users (including administrators) by enumerating form IDs. Exposed data includes form field structures, Google reCAPTCHA secret keys (if configured), email notification templates, and server paths.
Affected versions
max 2.4.9.
Status
vulnerable
Previous vulnerability researches
WP-DownloadManager (CVE-2021-44760) , Jun 06, 2024
WP-DownloadManager (CVE-2013-2697) , Jun 06, 2024
WP-DownloadManager (CVE-2022-25606) , Jun 06, 2024
WP-DownloadManager (CVE-2020-24141) , Jun 06, 2024
WP-DownloadManager (CVE-2022-25605) , Jun 06, 2024
New vulnerability
Beaver Builder – WordPress Page Builder (CVE-2026-1231) , Apr 15, 2026
CubeWP – All-in-One Dynamic Content Framework (CVE-2025-6461) , Apr 15, 2026
ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF (CVE-2026-1246) , Apr 15, 2026
NextScripts: Social Networks Auto-Poster (CVE-2026-3228) , Apr 15, 2026
Code Snippets (CVE-2026-1785) , Apr 15, 2026