CVE-2026-3584

Critical

Published: 20 March 2026

Published

20 March 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.2976 96.7th percentile

Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Description

The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined…

with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents RCE by requiring validation and sanitization of user-supplied keys in form data before mapping to placeholders and invoking via call_user_func.

SI-2 Flaw Remediation good match

prevent

Mandates timely patching of the Kali Forms plugin vulnerability up to version 2.4.9, eliminating the flawed prepare_post_data and form_process functions.

SI-3 Malicious Code Protection partial match

preventdetect

Deploys malicious code protection mechanisms to scan for and block arbitrary code execution attempts exploiting the vulnerable plugin.

Security SummaryAI

CVE-2026-3584 is a Remote Code Execution vulnerability in the Kali Forms plugin for WordPress, affecting all versions up to and including 2.4.9. The flaw stems from the 'form_process' function, where the 'prepare_post_data' function directly maps user-supplied keys into internal placeholder storage, which is then processed via 'call_user_func' on these placeholder values. This enables arbitrary code execution on the server and is classified under CWE-94 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction or privileges required. Exploitation allows attackers to execute arbitrary code on the affected server, potentially leading to full server compromise with high impacts on confidentiality, integrity, and availability.

Advisories and patch details are available via the provided references, including the vulnerable code at line 697 in class-form-processor.php of version 2.4.9, a fix in changeset 3487024, and Wordfence threat intelligence.

Details

CWE(s): CWE-94

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an unauthenticated remote code execution in a WordPress plugin, directly enabling exploitation of a public-facing web application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.9/Inc/Frontend/class-form-processor.php#L697
security@wordfence.com
https://plugins.trac.wordpress.org/changeset/3487024/kali-forms
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/6cecd06f-c064-49fd-b3fa-505a5a0c2e0b?source=cve
security@wordfence.com