Kali Forms RCE: WordPress Sites Under Attack
A critical Remote Code Execution (RCE) vulnerability in the Kali Forms WordPress plugin has escalated into an active threat, allowing unauthenticated attackers to compromise sites. According to The Cyber Express, this flaw, impacting a drag-and-drop form builder with over 10,000 active installations, was exploited in the wild almost immediately after its public disclosure.
The vulnerability, initially reported on March 2, 2026, through a bug bounty program, saw a patched version (2.4.10) released on March 20, 2026. However, the same day saw attackers initiating widespread exploitation campaigns. The Cyber Express detailed a rapid disclosure-to-exploitation cycle, with peak activity observed between April 4โ10, 2026, targeting all versions up to and including 2.4.9.
The technical root cause lies within the form_process flow and the prepare_post_data() function. This function improperly maps attacker-controlled input into internal placeholder storage without adequate validation, allowing arbitrary PHP function names to be injected and subsequently executed via call_user_func() in the _save_data() method. This lack of input restriction makes exploitation relatively trivial, enabling full Remote Code Execution for unauthenticated users.
What This Means For You
- If your WordPress site uses the Kali Forms plugin, you need to check its version *right now*. If it's anything before 2.4.10, you are vulnerable. Patch immediately to version 2.4.10 or later. Audit your web server logs for any suspicious activity around March 20, 2026, and especially between April 4โ10, 2026, for signs of exploitation.
Related ATT&CK Techniques
๐ก๏ธ Detection Rules
6 rules ยท 5 SIEM formats6 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, and QRadar AQL.
Web Application Exploitation Attempt โ Kali Forms
Get this rule in your SIEM's native format โ copy, paste, detect. No manual conversion.
6 Sigma rules mapped to the ATT&CK techniques from this breach โ pick your SIEM and get a ready-to-paste query.
Get Detection Rules โIndicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| Kali-Forms-RCE | RCE | Kali Forms WordPress plugin versions <= 2.4.9 โ unauthenticated Remote Code Execution |
| Kali-Forms-RCE | Affected Product | Kali Forms WordPress plugin โ 10,000+ active installations, patched in v2.4.10 (March 20, 2026) |
| Kali-Forms-RCE | Code Injection | form_process โ prepare_post_data() โ call_user_func() in _save_data() allows arbitrary PHP function execution |
Related Posts
Critical RCE Flaw Hits NuGet Gallery Backend
CVE-2026-39399 โ NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend jobโs handling of .nuspec files within...
BoidCMS LFI to RCE: A Critical Template Flaw
CVE-2026-39387 โ BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are...
Nanobot AI: WebSocket Hijack Puts WhatsApp Sessions at Risk
CVE-2026-35589 โ nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server...