CVE-2024-1218 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Kali Forms plugin for WordPress, which provides a drag-and-drop contact form builder. The issue arises from inconsistent capability checks on multiple REST API endpoints, which are used to manage forms and form entries. Specifically, authenticated users with contributor-level privileges or higher can bypass intended authorization controls to access or modify form data via these endpoints. This vulnerability affects all versions of the plugin up to and including 2.3.41. The root cause is that the plugin's REST API does not properly verify whether the requesting user has sufficient permissions to perform certain actions, leading to unauthorized data exposure or modification. The CVSS 3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, and privileges of at least contributor level, but no user interaction is needed. The impact is primarily on confidentiality, as unauthorized users can read form data, but integrity and availability are not directly compromised. No known exploits have been reported in the wild, and no official patches have been published at the time of disclosure. The vulnerability is significant because WordPress sites often rely on plugins like Kali Forms for user interaction and data collection, and unauthorized access to form data could lead to information leakage or further attacks if sensitive data is collected.

The vulnerability allows authenticated users with contributor or higher privileges to access or modify contact forms and their entries without proper authorization. This can lead to unauthorized disclosure of potentially sensitive information submitted through forms, such as personal data or business inquiries. While the vulnerability does not directly impact data integrity or system availability, the exposure of confidential data can have reputational and compliance consequences for organizations. Attackers could also manipulate form data to mislead site administrators or disrupt normal operations indirectly. Since contributor-level access is often granted to trusted users or external collaborators, this vulnerability increases the risk of insider threats or compromised accounts being leveraged for unauthorized data access. Organizations relying on Kali Forms for critical data collection or customer interaction may face privacy violations and regulatory risks, especially under data protection laws like GDPR or CCPA. The lack of known exploits in the wild reduces immediate risk but does not eliminate the potential for targeted attacks once the vulnerability details are widely known.

Until an official patch is released, organizations should implement strict access controls to limit contributor-level accounts to only trusted users. Review and audit user roles and permissions within WordPress to ensure minimal necessary privileges are assigned. Disable or restrict REST API access for roles that do not require it, using plugins or custom code to enforce capability checks. Monitor REST API usage logs for unusual or unauthorized access patterns related to form endpoints. Consider temporarily deactivating the Kali Forms plugin if contributor access cannot be sufficiently controlled or if sensitive data is handled. Stay informed about updates from the Kali Forms vendor and apply patches promptly once available. Additionally, implement web application firewalls (WAFs) with custom rules to detect and block suspicious API requests targeting form management endpoints. Educate site administrators and contributors about the risks of privilege misuse and encourage strong authentication practices to reduce the risk of compromised accounts.