CVE-2026-1860

Name of the Vulnerable Software and Affected Versions Kali Forms plugin for WordPress versions up to and including 2.4.8

Description The software contains an Insecure Direct Object Reference issue. The get items permissions check() permission callback on the /kaliforms/v1/forms/{id} API endpoint only verifies the edit posts capability, without confirming user ownership or authorization for the specific form resource. This allows authenticated attackers with Contributor-level access or higher to view form configuration data belonging to other users, including administrators, by identifying form IDs. Exposed data includes form field structures, Google reCAPTCHA secret keys (if configured), email notification templates, and server paths.

Recommendations Update Kali Forms plugin to a version later than 2.4.8.