CVE-2026-3584

Description

The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the form_process function. This is due to the prepare_post_data function mapping user-supplied keys directly into internal placeholder storage, combined with the use of call_user_func on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.