Hackers Exploit Kali Forms Vulnerability to Achieve Remote Code Execution on WordPress Sites
A newly uncovered vulnerability in the Kali Forms plugin, a popular drag-and-drop form builder for WordPress with over 10,000 active installations, has emerged as a significant security threat. This flaw enables unauthenticated attackers to execute remote code on affected websites, raising alarms in the cybersecurity community. Exploitation of this vulnerability began almost immediately after its public disclosure, highlighting the urgent need for website administrators to take protective measures.
Timeline of the Kali Forms Vulnerability
The vulnerability was first reported on March 2, 2026, through a bug bounty program, where security researchers identified a critical Remote Code Execution (RCE) issue within the Kali Forms plugin. The vendor responded swiftly, releasing a patched version on March 20, 2026. On the same day, the vulnerability was added to the Wordfence Intelligence database, and attackers began exploiting it at scale.
The timeline of events surrounding this vulnerability is as follows:
- March 2, 2026: Initial submission of the RCE flaw via bug bounty reporting.
- March 5, 2026: Wordfence Premium, Care, and Response users received firewall protection against the vulnerability.
- March 20, 2026: A patched version was released, and the vulnerability was publicly disclosed, with exploitation commencing on the same day.
- April 4, 2026: Free Wordfence users received delayed firewall protection.
- April 4–10, 2026: Peak exploitation activity was observed against the Kali Forms vulnerability.
The patched release addressed the issue in version 2.4.10 of the WordPress plugin, while all versions up to and including 2.4.9 remained vulnerable.
Technical Root Cause Behind the Vulnerability
The vulnerability stems from how user-supplied form data is processed and stored within the plugin. Specifically, the flaw lies in the form_process flow and the prepare_post_data() function, which improperly maps attacker-controlled input into internal placeholder storage without adequate validation or allow-list restrictions. This oversight allows malicious actors to inject arbitrary PHP function names.
These placeholders are subsequently utilized in the _save_data() method, where unsafe execution occurs through the call_user_func() function. The lack of input restrictions in prepare_post_data() enables the overwriting of internal placeholders, allowing attacker-controlled values to flow directly into call_user_func(), making exploitation straightforward once the request is submitted.
An example of the vulnerable logic is as follows:
php
if (isset($this->placeholdered_data[‘{entryCounter}’])) {
$this->placeholdered_data[‘{entryCounter}’] =
call_user_func($this->placeholdered_data[‘{entryCounter}’], $this->post->ID);
}
Due to the nature of the vulnerability, attackers can control values like {entryCounter} and {thisPermalink}, allowing unauthenticated users to execute arbitrary PHP functions. This leads to Remote Code Execution (RCE) attacks.
One observed abuse pattern involves authentication bypass attempts using built-in WordPress functions. For instance, attackers can assign:
php
{entryCounter} = wp_set_auth_cookie
This results in the execution of wp_set_auth_cookie(1), potentially logging attackers in as the default administrator account, effectively transforming the Kali Forms vulnerability into a full account takeover vector.
Active Exploitation of the Kali Vulnerability
Telemetry from security monitoring indicates that exploitation began immediately following the vulnerability’s disclosure. Attackers have systematically targeted the WordPress plugin using automated requests to admin-ajax.php.
A representative exploit request includes:
POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
action=kaliforms_form_process&
data[formId]=1&
data[nonce]=66ddddb2b7&
data[entryCounter]=wp_set_auth_cookie
This illustrates how the RCE flaw is triggered through manipulated form submission data. Security systems have recorded significant attack volumes, including:
- Over 312,200 exploit attempts blocked targeting the Kali Forms vulnerability.
- Heavy targeting observed immediately after the March 20, 2026, disclosure.
- A spike in activity between April 4 and April 10, 2026.
Top Attacking IP Addresses Observed
Threat intelligence has identified several IP addresses responsible for large-scale exploitation attempts:
- 209.146.60.26 – over 152,000 blocked requests
- 49.156.40.126 – over 50,000 blocked requests
- 124.248.183.139 – over 26,000 blocked requests
- 202.56.2.126 – over 14,000 blocked requests
- 130.12.182.154 – over 11,000 blocked requests
- 104.28.160.197 – over 9,000 blocked requests
- 1.53.114.181 – over 5,700 blocked requests
- 157.15.40.74 – over 3,000 blocked requests
- 114.10.99.126 – over 2,500 blocked requests
- 83.147.12.83 – over 1,300 blocked requests
These IP addresses have been repeatedly associated with exploitation attempts targeting the Kali Forms vulnerability in the affected WordPress plugin.
For further details on this vulnerability and its implications, refer to the original reporting source: thecyberexpress.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
