CVE-2026-3584

Name of the Vulnerable Software and Affected Versions Kali Forms versions prior to 2.4.9

Description The Kali Forms plugin for WordPress is susceptible to Remote Code Execution in versions up to and including 2.4.9. This is due to the prepare post data function mapping user-supplied keys directly into internal placeholder storage, combined with the use of call user func on these placeholder values. This allows unauthenticated attackers to execute code on the server. The vulnerability is triggered via the form process function. The issue involves user-controlled placeholders and the call user func function, which can lead to unauthorized code execution.

Recommendations Versions prior to 2.4.9 should be updated.