PT-2026-53813 · WordPress · Kali Forms
She11F
·
Published
2026-06-30
·
Updated
2026-06-30
·
CVE-2026-11581
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin versions prior to 2.4.13
Description
Stored Cross-Site Scripting occurs because the plugin fails to sanitize a form field's caption before it is displayed as a column header on the administrator form-entries screen. This allows users with Contributor-level access or higher to store JavaScript that executes within an administrator's session. Additionally, a missing capability check in the post-duplication action allows a Contributor to publish the malicious form, ensuring an administrator renders the script.
Recommendations
Update Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin to version 2.4.13 or later.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Kali Forms