Critical Kali Forms WordPress Plugin Vulnerability Exploited in the Wild
A severe Remote Code Execution (RCE) vulnerability in Kali Forms, a popular WordPress plugin with over 10,000 active installations, has been actively exploited following its public disclosure. The flaw, tracked in versions up to and including 2.4.9, allows unauthenticated attackers to execute arbitrary code on vulnerable websites, leading to potential full site takeovers.
Timeline of the Vulnerability
- March 2, 2026: The RCE flaw was reported via a bug bounty program.
- March 5, 2026: Wordfence Premium, Care, and Response users received firewall protection.
- March 20, 2026: The vendor released Kali Forms 2.4.10, patching the issue. Exploitation began the same day.
- April 4, 2026: Free Wordfence users gained firewall protection.
- April 4–10, 2026: Peak exploitation activity was observed.
Technical Root Cause
The vulnerability stems from improper input validation in the plugin’s prepare_post_data() function, which processes user-supplied form data. Attackers can manipulate placeholders (e.g., {entryCounter}) to inject malicious PHP function names, which are then executed via call_user_func(). A common attack vector involves forcing wp_set_auth_cookie() to bypass authentication and gain admin access.
Active Exploitation & Attack Patterns
Security monitoring detected over 312,200 exploit attempts targeting the flaw, with attacks peaking between April 4–10, 2026. Attackers sent automated requests to admin-ajax.php, leveraging manipulated form submissions to trigger RCE. Key attacking IPs included:
- 209.146.60.26 (152,000+ blocked requests)
- 49.156.40.126 (50,000+)
- 124.248.183.139 (26,000+)
Impact & Mitigation
The vulnerability enables unauthenticated RCE, allowing attackers to compromise websites, steal data, or deploy malware. Users were urged to update to Kali Forms 2.4.10 immediately to mitigate risk. Exploitation remains ongoing, with threat actors continuing to scan for unpatched instances.
Source: https://thecyberexpress.com/kali-forms-vulnerability-wordpress-plugin/
Kali Linux cybersecurity rating report: https://www.rankiteo.com/company/kali-linux
"id": "KAL1776155151",
"linkid": "kali-linux",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Web Development/CMS',
'name': 'Kali Forms (WordPress Plugin)',
'size': '10,000+ active installations',
'type': 'Software/Plugin'}],
'attack_vector': 'Unauthenticated exploitation via manipulated form '
'submissions to admin-ajax.php',
'customer_advisories': 'Users urged to update the plugin immediately',
'data_breach': {'data_exfiltration': 'Potential data exfiltration'},
'date_detected': '2026-03-02',
'date_publicly_disclosed': '2026-03-20',
'description': 'A severe Remote Code Execution (RCE) vulnerability in Kali '
'Forms, a popular WordPress plugin with over 10,000 active '
'installations, has been actively exploited following its '
'public disclosure. The flaw allows unauthenticated attackers '
'to execute arbitrary code on vulnerable websites, leading to '
'potential full site takeovers.',
'impact': {'brand_reputation_impact': 'Potential reputational damage for '
'affected websites',
'data_compromised': 'Potential data theft',
'operational_impact': 'Full site takeovers, malware deployment',
'systems_affected': 'WordPress websites using Kali Forms (versions '
'≤ 2.4.9)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Importance of timely patching and input validation in '
'WordPress plugins to prevent RCE vulnerabilities.',
'post_incident_analysis': {'corrective_actions': 'Patch released (Kali Forms '
'2.4.10) to fix the input '
'validation flaw.',
'root_causes': 'Improper input validation in the '
'`prepare_post_data()` function, '
'allowing PHP function injection.'},
'recommendations': 'Update Kali Forms to version 2.4.10 or later immediately. '
'Implement firewall rules to block exploit attempts. '
'Monitor for suspicious activity.',
'references': [{'source': 'Wordfence'}],
'response': {'communication_strategy': 'Public disclosure and advisories',
'containment_measures': 'Firewall rules to block exploit '
'attempts',
'enhanced_monitoring': 'Exploitation activity monitoring',
'remediation_measures': 'Patch released (Kali Forms 2.4.10)',
'third_party_assistance': 'Wordfence (firewall protection)'},
'stakeholder_advisories': 'Public disclosure and patch advisories',
'title': 'Critical Kali Forms WordPress Plugin Vulnerability Exploited in the '
'Wild',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'Improper input validation in the plugin’s '
'`prepare_post_data()` function, allowing PHP '
'function injection via placeholders (e.g., '
'`{entryCounter}`).'}