Critical RCE Vulnerability in Kali Forms Plugin Under Active Exploitation
Take action: If you are using Kali Forms, this is urgent. Immediately update to version 2.4.10 to block active exploitation. If you cannot patch right away, disable the plugin.
Learn More
The WordPress plugin Kali Forms is currently the target of active exploitation. Security researchers identified a flaw that allows unauthenticated users to execute arbitrary code on the host server.
The vulnerability is tracked as CVE-2026-3584 (CVSS score 9.8), A code injection vulnerability in the form_process function that allows unauthenticated remote code execution. The flaw occurs when the prepare_post_data function maps user-supplied keys directly into internal placeholder storage, which are then executed via call_user_func. Attackers can exploit this by sending malicious requests to the form, resulting in full server compromise.
Security firm Wordfence reported blocking 2,370 attacks targeting this flaw within a 24-hour period, indicating widespread automated scanning. S
This security issue affects all versions of the Kali Forms plugin up to and including version 2.4.9.
Administrators must update the plugin to version 2.4.10 or higher immediately. If administrators can't patch, they should disable the plugin until it's patched. Users should also monitor their server logs for suspicious requests directed at the form_process function to identify potential compromise attempts.
