A critical Remote Code Execution vulnerability has been disclosed in the Kali Forms plugin for WordPress, a popular contact form and drag-and-drop builder with more than 10,000 active installations.
The vulnerability, tracked as CVE-2026–3584 with a CVSS score of 9.8, allows unauthenticated attackers to execute code on the server and has been under active exploitation since March 20th, 2026.
The vulnerability was discovered by researcher ISMAILSHADOW, who submitted it through the Wordfence Bug Bounty Program on March 2nd, 2026, and earned a $2,145.00 bounty for the finding.
The disclosure was published in the Wordfence Intelligence Vulnerability Database on March 20th, 2026, the same day the vendor released a patched version. Unfortunately, attackers began targeting the vulnerability that very same day.
The Wordfence Firewall has already blocked over 312,200 exploit attempts targeting this vulnerability, underscoring the scale and speed at which threat actors moved to capitalize on the disclosure.
Vulnerability Details
The Kali Forms plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution in all versions up to, and including, 2.4.9 via the `form_process` function.
The root cause lies in the `prepare_post_data()` function, which loops through user-supplied data and writes it into an internal array called `placeholdered_data`. This array normally holds placeholder values the plugin uses later, such as `{entryCounter}` and `{thisPermalink}`.
However, the function does not enforce an allow-list or any filtering on which keys the user is allowed to set, meaning an attacker can freely overwrite these internal placeholders with arbitrary values.
Later, the `_save_data()` method takes those same placeholder values and passes them directly into `call_user_func()`. Whatever string the attacker placed into the placeholder gets executed as a PHP function call.
In observed attacks, threat actors set the `{entryCounter}` placeholder to `wp_set_auth_cookie` and submitted a `formId` of `1`. The plugin then executed `wp_set_auth_cookie(1)`, and since User ID 1 is typically the default administrator account, WordPress responded with valid admin authentication cookies.
This allowed the attacker to log in as the administrator without any credentials, after which they edited the theme's `functions.php` file to inject malware code.
Impact
Kali Forms has more than 10,000 active installations. The vulnerability affects all versions up to and including 2.4.9, meaning every site running an unpatched version was potentially exposed.
Attackers began targeting this vulnerability the same day it was publicly disclosed, on March 20th, 2026. Mass exploitation was observed between April 4th and 10th, 2026. The top offending IP address, 209.146.60.26, was responsible for over 152,000 blocked requests alone.
Because successful exploitation grants full administrator access, attackers can modify any file, install backdoors, exfiltrate data, and clear their tracks, making detection of a compromise particularly difficult after the fact.
Patch Status
The vendor released the patched version, 2.4.10, on March 20th, 2026. All site owners running the Kali Forms plugin should update to at least version 2.4.10 as soon as possible.
Site owners who believe their site may have been compromised should review their server log files for requests originating from known attacker IP addresses and look for any abnormal activity or unrecognized administrator accounts.
Protection
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against exploits targeting this vulnerability on March 5, 2026, two weeks before the vulnerability was publicly disclosed.
Sites using the free version of Wordfence received the same protection after the standard 30-day delay on April 4, 2026.
Even with firewall protection in place, updating to the patched version is recommended to maintain normal plugin functionality.
For sites that have already been compromised, Wordfence offers Incident Response services through Wordfence Care, with 24/7/365 availability and a 1-hour response time available through Wordfence Response.
Conclusion
This vulnerability in the Kali Forms plugin represents a serious security concern due to its critical severity, the ease of unauthenticated exploitation, and the confirmed active exploitation in the wild.
With over 312,200 exploit attempts already blocked by the Wordfence Firewall, the data makes clear that attackers are actively and aggressively targeting this issue.
Review the full report to ensure your site is not affected.
Originally published on the [Wordfence Blog](https://www.wordfence.com/blog/2026/04/attackers-actively-exploiting-critical-vulnerability-in-kali-forms-plugin).