2026-03-20 21:25:11
Wordfence
PUBLISHED
The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the form_process function. This is due to the prepare_post_data function mapping user-supplied keys directly into internal placeholder storage, combined with the use of call_user_func on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.