{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3584", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-05T05:20:57.880Z", "datePublished": "2026-03-20T21:25:11.166Z", "dateUpdated": "2026-03-23T16:51:44.450Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-20T21:25:11.166Z"}, "affected": [{"vendor": "wpchill", "product": "Kali Forms \u2014 Contact Form & Drag-and-Drop Builder", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "2.4.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server."}], "title": "Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6cecd06f-c064-49fd-b3fa-505a5a0c2e0b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.9/Inc/Frontend/class-form-processor.php#L697"}, {"url": "https://plugins.trac.wordpress.org/changeset/3487024/kali-forms"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "ISMAILSHADOW"}], "timeline": [{"time": "2026-03-05T05:39:37.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-20T08:36:13.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T16:51:26.841196Z", "id": "CVE-2026-3584", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:51:44.450Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3584", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-23T16:51:26.841196Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:51:32.295Z"}}], "cna": {"title": "Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process", "credits": [{"lang": "en", "type": "finder", "value": "ISMAILSHADOW"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "wpchill", "product": "Kali Forms \u2014 Contact Form & Drag-and-Drop Builder", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.4.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-05T05:39:37.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-20T08:36:13.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6cecd06f-c064-49fd-b3fa-505a5a0c2e0b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.9/Inc/Frontend/class-form-processor.php#L697"}, {"url": "https://plugins.trac.wordpress.org/changeset/3487024/kali-forms"}], "descriptions": [{"lang": "en", "value": "The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-20T21:25:11.166Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3584", "state": "PUBLISHED", "dateUpdated": "2026-03-23T16:51:44.450Z", "dateReserved": "2026-03-05T05:20:57.880Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-20T21:25:11.166Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server."}], "id": "CVE-2026-3584", "lastModified": "2026-03-23T14:32:02.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-20T22:16:29.267", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.9/Inc/Frontend/class-form-processor.php#L697"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3487024/kali-forms"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6cecd06f-c064-49fd-b3fa-505a5a0c2e0b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.4.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Kali Forms \u2014 Contact Form & Drag-and-Drop Builder", "source": "cna", "vendor": "wpchill"}, "product": "kali_forms_\u2014_contact_form_&_drag-and-drop_builder", "vendor": "wpchill"}], "analysis": {"en": {"generated_at": "2026-03-20T22:21:39.058867+00:00", "value": {"mitigation_remediation": ["Update Kali Forms to the latest release that fixes the vulnerable code (any version newer than 2.4.9).", "If an immediate update is not feasible, disable or remove the Kali Forms plugin to eliminate the risk.", "Verify that no custom form processing code remains in the theme that could re\u2011introduce the vulnerability.", "After applying the fix or removal, monitor the site for any unauthorized activity."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "This vulnerability affects WordPress installations using the Kali Forms plugin by wpchill, specifically versions 2.4.9 and earlier.", "description_and_impact": "The Kali Forms plugin for WordPress contains a flaw in the form_process routine where user supplied data is mapped directly to internal placeholders and later executed via call_user_func, enabling the execution of arbitrary code on the server without authentication.", "risk_and_exploitability": "The CVSS base score is 9.8, indicating critical severity, and while EPSS data is unavailable, the lack of KEV listing does not mitigate the fact that unauthenticated attackers can submit malicious input through the form processing endpoint to achieve full application compromise. The likely attack vector is a remotely crafted HTTP request to the form_process URL with controlled parameters."}}}}, "created": "2026-03-23T09:52:37.491563+00:00", "updated": "2026-03-25T14:34:31.707383+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpchill", "wpchill$PRODUCT$kali_forms_\u2014_contact_form_&_drag-and-drop_builder"]}