The Kali Forms plugin for WordPress suffers from an Insecure Direct Object Reference vulnerability due to insufficient authorization checks on the REST API endpoint /kaliforms/v1/forms/{id}. The permission callback get_items_permissions_check() only verifies that the user has the edit_posts capability but does not confirm that the user owns or is authorized to access the specific form identified by {id}. Consequently, authenticated users with Contributor-level privileges or higher can enumerate form IDs and access configuration data of forms owned by other users, including administrators. Sensitive data exposed includes form structures, Google reCAPTCHA secret keys if configured, email notification templates, and server file paths. The CVSS 3.1 base score is 4.3 (medium severity), reflecting the network attack vector, low complexity, and limited confidentiality impact without integrity or availability effects. No patch or official fix has been confirmed in the provided data.

Authenticated users with Contributor-level access or above can read sensitive configuration data of other users' forms, including potentially sensitive secrets like Google reCAPTCHA keys and email templates. This exposure can lead to information disclosure but does not directly affect data integrity or availability. There are no known exploits in the wild as of the published date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict Contributor-level access to trusted users only and monitor for unusual access patterns to form data. Avoid configuring sensitive secrets such as Google reCAPTCHA keys in forms if possible. Follow vendor updates closely for an official fix.