WordPress Remote Code Execution in Kali Forms//Published on 2026-03-23//CVE-2026-3584

WP-FIREWALL SECURITY TEAM

Kali Forms Vulnerability

Plugin Name Kali Forms
Type of Vulnerability Remote Code Execution
CVE Number CVE-2026-3584
Urgency Critical
CVE Publish Date 2026-03-23
Source URL CVE-2026-3584

Emergency Security Advisory: Unauthenticated Remote Code Execution (RCE) in Kali Forms <= 2.4.9 (CVE-2026-3584)

Summary

  • Vulnerability: Unauthenticated remote code execution via the form processing endpoint
  • Affected software: Kali Forms WordPress plugin — versions <= 2.4.9
  • Patched in: 2.4.10
  • CVE: CVE-2026-3584
  • Severity: Critical / CVSS 10 — unauthenticated, remote, code execution
  • Reported by: security researcher (public disclosure 23 Mar, 2026)

If your site runs Kali Forms and the plugin version is 2.4.9 or older, treat this as an immediate emergency. This vulnerability allows an attacker with no account and no prior access to execute arbitrary PHP code on the site — a full site compromise vector.

Below is a practical, expert guide from the WP-Firewall security team: what this flaw means, how attackers can exploit it, step-by-step containment and recovery procedures, long-term hardening guidance, and specific mitigation rules you can apply immediately (including WAF and webserver rules). We also explain how WP-Firewall can protect your site instantly while you update or perform incident response.

Why this vulnerability is critical

An unauthenticated RCE means an attacker does not need a user account to exploit the bug. They can target publicly accessible endpoints exposed by the plugin (the form processing handler) and run arbitrary PHP code. Consequences include:

  • Full takeover of WordPress: creation of administrator accounts, backdoors, and persistence mechanisms.
  • Data theft: exfiltration of database contents, user credentials, payment/customer data.
  • Malware installation: web shells, cryptominers, spam engines, redirectors.
  • Supply-targeted attacks: attackers often use unauthenticated RCEs in mass-exploit campaigns, probing thousands of sites automatically.

Because this issue is remote (network accessible) and unauthenticated, it is trivial for attackers to scan for vulnerable sites and attempt exploit chains. The CVSS score is the maximum severity for a reason: it yields complete remote control.

How the vulnerability works (technical overview)

The vulnerability is tracked as CVE-2026-3584 and is rooted in the plugin’s form processing endpoint (commonly named or routed as form_process or similar). While the exact exploit details and payload variants found in the wild are subject to researcher disclosure and vendor patches, the general technical root causes in cases like this are:

  • Unsafe handling of user-submitted form data (missing validation or sanitization).
  • Unsafe evaluation or inclusion of user-controlled content (for example, using PHP eval, insecure unserialize() on user data, or writing user payloads to disk that later get included/executed).
  • File upload paths that accept arbitrary file types and place them in accessible locations without checks.
  • Action handlers in publicly exposed endpoints that perform privileged operations without requiring authentication or proper nonce/CSRF checks.

Any of the above allow an attacker to send crafted POST data (or multi-part form data) to the plugin’s public form handler and trigger code paths that result in PHP execution.

From an attacker’s perspective the workflow is straightforward:

  1. Discover WordPress sites with Kali Forms installed.
  2. Check plugin version via public page sources, known endpoints, or fingerprinting.
  3. Send crafted request(s) to the form processing endpoint.
  4. If successful, drop a web shell or run commands to create admin users, modify themes or plugins, or exfiltrate data.

Immediate actions (what to do in the next minutes and hours)

If you manage a WordPress site with Kali Forms installed, follow these steps immediately. Order matters — prioritise containment first.

  1. Upgrade the plugin (recommended)
    • If you can access WP admin and the update is available, update Kali Forms to version 2.4.10 or later immediately.
    • Confirm the plugin is updated and the site is functional.
  2. If you cannot update immediately, take the plugin offline
    • Deactivate the Kali Forms plugin from WP Admin.
    • If you cannot access WP Admin, disable the plugin by renaming the plugin folder via FTP / SFTP / SSH:
      • wp-content/plugins/kali-forms -> wp-content/plugins/kali-forms_disabled
    • This prevents the plugin code from being executed.
  3. Block the vulnerable endpoint with your WAF or webserver
    • Configure your WAF to block POST requests to the plugin’s form processing endpoint (e.g. any requests containing path segments like /form_process or specific query parameters used by Kali Forms).
    • If you use Apache or Nginx, add quick deny rules (examples below).
  4. Put the site in maintenance mode if compromise is suspected
    • A temporary maintenance page reduces the risk of further automated exploitation and prevents customer data exposure.
  5. Inspect logs immediately
    • Check Apache/nginx/PHP-FPM logs and access logs for suspicious POST requests, unusual user-agent strings, or requests to the plugin endpoint.
    • Look for spikes in traffic or repeated attack patterns.
  6. Run a malware scan and file integrity checks
    • Scan upload directories for PHP files, unfamiliar files, or recently modified files.
    • Compare core WordPress files and theme/plugin files against clean copies.
  7. Rotate credentials
    • Change admin passwords, database credentials if you suspect compromise, API keys and any FTP/hosting account credentials.
  8. If you are unsure or see evidence of compromise, engage professional incident response
    • Consider full forensic analysis, restoration from a clean backup, and credential resets.

Quick mitigation examples

Below are practical snippets you can drop into your site to block obvious exploit attempts. Use them if you cannot update immediately — these are temporary shields, not replacements for applying the vendor patch.

Important: Test in staging first if possible. These are conservative blocks intended to reduce attack surface.

Example: Nginx rule to block POSTs to typical form processing URL

# Block POST requests to Kali Forms form processing endpoint
location ~* /wp-content/plugins/kali-forms/.*/form_process {
    if ($request_method = POST) {
        return 403;
    }
}

# If the endpoint is via admin-ajax with a specific action:
location = /wp-admin/admin-ajax.php {
    if ($request_method = POST) {
        set $bad_action 0;
        if ($arg_action ~* "(form_process|kali_forms_process|kf_form_process)") {
            set $bad_action 1;
        }
        if ($bad_action = 1) {
            return 403;
        }
    }
}

Example: Apache (.htaccess) deny

Place in your WordPress root or plugin folder:

# Deny external POSTs to Kali Forms form_process
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteRule ^wp-content/plugins/kali-forms/ - [F,L]
</IfModule>

Example ModSecurity rule (generic)

If you run ModSecurity, use a rule to block suspicious payloads or specific endpoints:

SecRule REQUEST_URI "@rx /wp-content/plugins/kali-forms/.*form_process" "phase:1,deny,status:403,log,msg:'Blocked request to Kali Forms form_process (temporary mitigation)'"

These rules are short-term shields. Update the plugin and remove temporary rules when the site is patched.

WP-Firewall mitigation — how we can help now

As a WordPress WAF and security provider, WP-Firewall protects sites with layered defenses engineered for exactly this class of vulnerability:

  • Immediate WAF rule deployment: once a vulnerability is published, our security team rapidly implements and pushes virtual patching rules that block exploit attempts to the affected endpoints (including form processing handlers), tailored to exploit fingerprints.
  • Signature and behavioral blocking: we detect and block suspicious payloads, unusual POST bodies, and embedded PHP payloads that attackers use to gain execution.
  • Rate-limiting and bot management: to prevent mass exploit scanners from succeeding.
  • Real-time alerts and traffic logs: identify attempted exploit sources and patterns.
  • Malware scanning and cleanup (for paid tiers): periodic scans detect and remove known web shells and backdoors.

If you cannot update immediately, enabling a WAF with targeted rules is the fastest way to reduce the risk of automated mass exploitation while you work through updates and incident response.

Incident response checklist — a detailed step-by-step

If you suspect your site was targeted or compromised, follow this checklist. It’s written in operational sequence for responders.

  1. Contain
    • Immediately update or deactivate the Kali Forms plugin.
    • Put the site in maintenance mode; limit external access.
    • If possible, block the plugin endpoint at the network edge (WAF) and webserver.
  2. Preserve evidence
    • Take a full backup/image of the webroot and database (quarantine before changes).
    • Preserve logs (web server, PHP-FPM, database access, FTP, control panel) for forensic review.
  3. Detect
    • Search for new or modified PHP files: especially in /wp-content/uploads, theme and plugin folders.
    • Look for files with names resembling common webshells (random names, .php files in uploads).
    • Search DB for suspicious options, new users, unusual admin-level entries.

    Useful commands (SSH):

    # Find PHP files in uploads modified in last 7 days
find wp-content/uploads -type f -iname '*.php' -mtime -7 -print

# Find recently modified files in plugin/theme directories
find wp-content/plugins wp-content/themes -type f -mtime -7 -print

# Search for suspicious functions (eval, base64_decode, assert, system)
grep -R --line-number -E "eval\(|base64_decode\(|assert\(|system\(|passthru\(" wp-content
  4. Eradicate
    • Remove malicious files and web shells (be conservative: preserve copies before deletion).
    • Reinstall WordPress core and all plugins/themes from official sources (do not reuse the potentially tainted local copies).
    • Rotate database password and update wp-config.php with the new creds; verify keys and salts.
  5. Recover
    • Restore from a known clean backup if the site is heavily compromised.
    • Update all software to latest versions, including Kali Forms (2.4.10+), WP core, other plugins/themes.
    • Re-enable the site and monitor traffic and logs intensively for 72+ hours.
  6. Post-incident hardening
    • Force password resets for admin users and users with elevated privileges.
    • Revoke/rotate any API keys that may have been exposed.
    • Enable 2FA for administrator accounts.
    • Review file system permissions (no PHP execution in uploads if not needed).
  7. Report
    • Notify your hosting provider or security partner if you need assistance.
    • If you host customer data, follow applicable data breach notification laws and regulations.

Indicators of Compromise (IoCs) to look for

Common signs an RCE was used and persistence established:

  • Unexpected admin users (check Users > All Users).
  • Unusual scheduled events (check WP Cron, wp_options cron entries).
  • PHP files in wp-content/uploads or other writable locations.
  • Modified theme or plugin files with obfuscated code (base64 strings, eval).
  • Abnormal outbound connections from the server (check netstat, lsof).
  • High CPU usage (cryptominer activity).
  • Repeated POST requests to form endpoints in access logs (especially from different IPs).

Search lists:

  • Files: look for recently modified files, .php in uploads
  • Database: wp_options autoloaded entries with long base64 strings
  • Logs: POST to plugin endpoints, admin-ajax.php?action=… entries that match plugin actions

Long-term hardening recommendations

To reduce risk going forward:

  1. Principle of least privilege
    • Only grant administrator role to users who need it.
    • Use separate accounts for admin and daily operations.
  2. Lock down uploads and writable directories
    • Prevent PHP execution in uploads if not required: 
      <FilesMatch "\.php$">
  Deny from all
</FilesMatch>
    • Alternatively, configure server to deny execution in upload directories.
  3. Strong update discipline
    • Apply plugin and core updates promptly.
    • Use staging to test updates for compatibility, but do not delay critical security updates.
  4. Implement file integrity monitoring
    • Monitor core, plugin, and theme file hashes and alert on unexpected changes.
  5. Use a WAF and virtual patching
    • A properly managed WAF can block exploit attempts before the site is vulnerable, buying you time to patch.
  6. Backup and test restores
    • Keep frequent, automated off-site backups and test restoration procedures.
  7. Harden wp-config.php
    • Restrict database access, use strong salts and keys, and consider moving wp-config.php up one directory level.
  8. Secure hosting and separation
    • Run WordPress behind hardened hosts; avoid mixing multiple production sites on a single account without containment.

Recommendations for plugin developers (why this happens and how to fix similar bugs)

If you’re a plugin author, vulnerabilities like this are preventable with secure coding practices:

  • Never use eval() or allow uncontrolled unserialize() on user input.
  • Enforce strict server-side input validation and sanitization — not only client-side.
  • Require nonces and capability checks for any action that modifies server state.
  • When accepting file uploads:
    • Validate mime types and file extensions.
    • Store files outside the webroot or ensure they cannot be executed.
    • Randomize file names and enforce size limits.
  • Principle of least privilege: don’t perform privileged operations in public endpoints.
  • Use secure coding libraries and well-tested APIs wherever possible.
  • Have a vulnerability disclosure program and push patches quickly.

Sample monitoring queries and detection tips

  • Detect webshell-like patterns (base64 + eval) in files: 
    grep -R --line-number -E "base64_decode\(|eval\(|gzinflate\(|preg_replace\(.*/e" wp-content | less
  • Check for PHP files in uploads: 
    find wp-content/uploads -type f -iname '*.php' -print
  • List recently modified files in WP directories: 
    find wp-content -type f -mtime -7 -print
  • Query for new admin users in WP database (via MySQL): 
    SELECT ID, user_login, user_email, user_registered, user_status FROM wp_users WHERE ID IN (SELECT user_id FROM wp_usermeta WHERE meta_key = 'wp_capabilities' AND meta_value LIKE '%administrator%') ORDER BY user_registered DESC;

Communicating to stakeholders

If you handle customer sites or run a hosting business, prepare a short, factual notice:

  • What happened: vulnerability in Kali Forms <=2.4.9 allows unauthenticated RCE.
  • Immediate steps taken: plugin updated or deactivated, WAF rules applied, scans underway.
  • What customers should do: change passwords if they have admin access, report unusual behavior.
  • Assistance: provide contact path to your security team for remediation.

Be transparent, avoid speculation, and include remediation timelines.

“Protect Your Site Now — Free Managed Firewall & WAF Protection”

If you need immediate, managed protection while you update plugins or respond to incidents, WP-Firewall provides a free plan that delivers essential, automated defenses built for WordPress.

Why sign up for WP-Firewall’s Free Plan?

  • Essential protection: managed firewall, unlimited bandwidth, Web Application Firewall (WAF), malware scanner, and mitigation of OWASP Top 10 risks — exactly the protections that help block exploit attempts like the Kali Forms RCE.
  • Fast deployment: virtual patching rules and signatures are applied quickly to block known exploit vectors to affected endpoints.
  • Continuous monitoring: get alerts and traffic logs so you can see attempted attacks and respond efficiently.
  • No immediate cost: start with the Basic (Free) plan and upgrade later to gain automated malware removal and virtual patching features if you need them.

Start your free protection here:
https://my.wp-firewall.com/buy/wp-firewall-free-plan/

(If you run many sites, our paid plans add automated remediation, monthly security reports, and advanced support. But for urgent protection, the free plan gives you critical WAF coverage and a safety net while you patch.)

FAQ — short answers to common questions

Q: I updated to 2.4.10 — am I safe?
A: Updating removes the vulnerable code. After updating, scan your site for signs of prior compromise (web shells, new admin users, modified files). If you find nothing, monitor logs closely for any suspicious activity.

Q: I can’t update right now. Will disabling the plugin help?
A: Yes — deactivating or renaming the plugin folder prevents the vulnerable code from executing. Combine this with WAF rules for best temporary protection.

Q: Should I restore from a backup after an exploit?
A: If you have confirmed compromise (malicious files, admin accounts, or unknown network connections), restoring from a clean backup is often the safest route. After restore, rotate credentials and update everything before bringing the site online.

Q: Can a WAF prevent this vulnerability entirely?
A: A WAF can block exploit attempts and provide meaningful protection, especially against automated mass-scans. But WAFs are a mitigation layer — updating and patching the underlying vulnerable plugin is the only full fix.

Final notes from the WP-Firewall team

This kind of unauthenticated RCE is one of the most serious threats for any WordPress site — it removes almost all barriers an attacker needs to achieve full site control. The single best immediate action for site owners is to update Kali Forms to the patched release (2.4.10+). If you cannot update right away, combine the following defensively: disable the plugin, apply WAF rules, scan for compromise, and follow the incident response steps above.

WP-Firewall is here to help. For sites under active management or hosting, consider enabling network-level WAF rules and continuous scanning to block automated exploit campaigns. If you need support with detection, containment, or recovery, our incident response team can assist.

Stay safe, keep software updated, and treat unauthenticated remote code execution advisories as high-priority emergencies.

— WP-Firewall Security Team

wordpress security update banner

Receive WP Security Weekly for Free 👋
Signup Now!!

Sign up to receive WordPress Security Update in your inbox, every week.

We don’t spam! Read our privacy policy for more info.

Contact us to schedule a complimentary WordPress Security consultation

Contact Us

WP-Firewall
6/F, The Rays, 71 Hung To Road, Kwun Tong, Kowloon, Hong Kong

Features Pricing Blog Login
Privacy Policy Terms of Service Docs Affiliate

© 2026 WP-Firewall™