Some links on this page are affiliate links. We may earn a commission when you click through and make a purchase, at no additional cost to you.
A critical Remote Code Execution (RCE) vulnerability in the popular Kali Forms plugin for WordPress has been under active attack since its public disclosure on March 20, 2026. The plugin, which has over 10,000 active installations, allows unauthenticated attackers to execute arbitrary code on servers through the ‘form_process’ function. Wordfence, a leading WordPress security provider, has blocked more than 312,200 exploit attempts targeting this vulnerability since its disclosure.
Key Takeaways
- The RCE vulnerability in Kali Forms affects plugin versions up to 2.4.9.
- Attackers began exploiting the flaw on March 20, 2026, immediately after public disclosure.
- Wordfence Premium users received protection on March 5, while free users gained access on April 4.
- The patched version, 2.4.10, prevents exploitation; immediate updates are recommended.
Details of the Vulnerability
The vulnerability, identified as CVE-2026-3584, carries a CVSS score of 9.8, classifying it as critical. It stems from the plugin’s ‘prepare_post_data’ function, which inadequately filters user-supplied data. This flaw allows attackers to overwrite internal placeholder values with malicious data. When the plugin executes these placeholders via ‘call_user_func’, the attacker’s inputs are treated as executable PHP functions.
Exploitation Methodology
One particularly dangerous exploitation scenario involves authentication bypass. By setting the placeholder {entryCounter} to ‘wp_set_auth_cookie’ and manipulating the ‘formId’ parameter, an attacker can force the plugin to execute ‘wp_set_auth_cookie(1)’, granting administrator-level access to the WordPress site. This access then enables attackers to inject malicious code into critical files, such as ‘functions.php’, resulting in compromised sites.
Timeline of Events
The vulnerability was reported to Wordfence on March 2, 2026, under its Bug Bounty Program. Wordfence promptly issued a firewall rule to Premium users on March 5, followed by free users on April 4, adhering to its standard 30-day delay policy. The plugin vendor released the patched version, 2.4.10, on March 20, the same day Wordfence disclosed the vulnerability publicly. Exploitation began almost immediately, emphasizing the urgency for site owners to update.
Impact on WordPress Sites
Wordfence reports over 312,200 exploit attempts since the vulnerability disclosure, with a surge in attacks between April 4 and April 10. Sites that have not updated to version 2.4.10 remain vulnerable to attacks that can lead to full site compromise, including malware injections and unauthorized administrative access.
Warning: If your site uses Kali Forms and is running any version prior to 2.4.10, update immediately to mitigate risk.
What This Means for WordPress Users
This vulnerability underscores the importance of maintaining up-to-date plugins and leveraging proactive security measures. WordPress site owners using Kali Forms must prioritize updating to version 2.4.10 to eliminate the risk of exploitation. Additionally, using a firewall, such as Wordfence Premium, provides another layer of protection, especially against zero-day attacks.
For developers, this incident demonstrates the dangers of improper data validation and execution within plugins. Following secure coding practices, such as implementing rigorous input sanitization and avoiding the direct use of functions like ‘call_user_func’ without constraints, can prevent vulnerabilities like this.
For agencies managing multiple WordPress sites, this serves as a reminder to audit plugin usage regularly and enforce patching protocols. Vulnerabilities in plugins with high privilege access, like form handlers, can lead to catastrophic consequences if left unaddressed.
Frequently Asked Questions
What versions of Kali Forms are affected?
All versions up to and including 2.4.9 are affected. The patched version is 2.4.10.
How can I protect my site?
Update the Kali Forms plugin to version 2.4.10 immediately. Use a security firewall like Wordfence for added protection.
What happens if my site is compromised?
If compromised, attackers may gain administrator access, inject malware, and steal sensitive information. Restore your site from a clean backup and review security settings.
How do I know if my site has been targeted?
Check your site’s logs for unusual activity, such as unauthorized admin logins or changes to theme files. Tools like Wordfence can also alert you to blocked exploit attempts.
