CVE-2026-1860 is an authorization bypass vulnerability classified under CWE-862 (Missing Authorization) affecting the Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin by wpchill. The vulnerability exists in all versions up to and including 2.4.8. The root cause is the insufficient permission check in the REST API endpoint /kaliforms/v1/forms/{id}, specifically the get_items_permissions_check() callback. This callback verifies only that the requesting user has the 'edit_posts' capability, which is common to roles such as Contributor and above, but it does not confirm whether the user owns or is authorized to access the specific form identified by {id}. Consequently, an authenticated user with Contributor-level privileges can enumerate form IDs and retrieve configuration data belonging to other users, including administrators. The exposed data includes sensitive elements such as form field structures, Google reCAPTCHA secret keys if configured, email notification templates, and server paths. These details can be leveraged to craft targeted attacks, bypass CAPTCHA protections, or gain insights into the server environment. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 base score is 4.3, reflecting a medium severity due to the limited confidentiality impact and the requirement for authenticated access. No patches or known exploits are currently reported, but the vulnerability poses a risk especially in multi-user WordPress environments where contributors have access.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive form configuration data, including Google reCAPTCHA secret keys, which may enable attackers to bypass CAPTCHA protections and automate attacks such as spam or brute force. Exposure of email templates and server paths can aid in social engineering or further exploitation of the hosting environment. Organizations with multi-user WordPress setups, such as agencies, educational institutions, or enterprises using Kali Forms, are particularly vulnerable. The confidentiality breach could affect customer data privacy and compliance with GDPR if form data or related configurations are sensitive. Although the vulnerability does not allow modification or deletion of data, the information disclosure can facilitate subsequent attacks, increasing the overall risk posture. The medium CVSS score reflects moderate impact, but the ease of exploitation by authenticated users elevates the threat in environments with multiple contributors or editors.

1. Immediately restrict access to the /kaliforms/v1/forms/{id} REST API endpoint to only authorized users who own the forms or have explicit permissions. 2. Implement additional authorization checks in the plugin code to verify ownership of the form resource before returning data. 3. Limit Contributor-level user capabilities on WordPress sites to minimize unnecessary access to edit_posts or similar permissions. 4. Monitor and audit user activities related to form access and REST API usage to detect unusual enumeration attempts. 5. Disable or restrict REST API access for unauthenticated or low-privilege users if not required. 6. Regularly update the Kali Forms plugin to the latest version once a security patch is released by the vendor. 7. Consider using Web Application Firewalls (WAFs) to detect and block suspicious API requests targeting form IDs. 8. Educate site administrators about the risks of granting Contributor or higher roles without proper oversight.