CVE-2026-3584

The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form process' function. This is due to the 'prepare post data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call user func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.