A critical Remote Code Execution vulnerability in the Kali Forms WordPress plugin (all versions up to 2.4.9) was publicly disclosed and rapidly exploited in the wild, enabling unauthenticated attackers to run arbitrary PHP via manipulated form placeholders. The flaw originates in improper validation in prepare_post_data() that allows attacker-controlled values to reach call_user_func(), and large-scale automated attacks were observed immediately after the March 20, 2026 disclosure. #KaliForms #WordPress
Keypoints
- The Kali Forms vulnerability enables unauthenticated Remote Code Execution on affected WordPress sites.
- Kali Forms has over 10,000 active installations; the vendor released patch 2.4.10 on March 20, 2026.
- The root cause is improper handling in prepare_post_data() that allows attacker-controlled placeholders to be executed via call_user_func().
- Attackers abused entryCounter (e.g., setting it to wp_set_auth_cookie) to bypass authentication and achieve account takeover.
- Security systems blocked over 312,200 exploit attempts, with peak activity between March 20 and April 10, 2026 and several high-volume attacking IPs identified.
Read More: https://thecyberexpress.com/kali-forms-vulnerability-wordpress-plugin/