The Kali Forms plugin for WordPress, widely used for creating contact forms and drag-and-drop form builders, contains a critical vulnerability identified as CVE-2026-3584. This vulnerability stems from CWE-94: Improper Control of Generation of Code, specifically code injection. The root cause lies in the 'prepare_post_data' function, which directly maps user-supplied keys into internal placeholders without proper validation or sanitization. Subsequently, the 'form_process' function uses 'call_user_func' on these placeholders, effectively executing user-controlled input as PHP code. Because the plugin does not require authentication or user interaction to trigger this functionality, an unauthenticated remote attacker can exploit this flaw to execute arbitrary code on the web server hosting the WordPress site. This could lead to full system compromise, data theft, defacement, or use of the server as a pivot point for further attacks. The vulnerability affects all versions up to and including 2.4.9. Although no patches or fixes have been released at the time of publication, the high CVSS score of 9.8 reflects the ease of exploitation and the severe impact on confidentiality, integrity, and availability. The vulnerability was reserved on March 5, 2026, and published on March 20, 2026, by Wordfence. No known exploits have been detected in the wild yet, but the critical nature of the flaw demands immediate attention from site administrators and security teams.

The impact of CVE-2026-3584 is severe and far-reaching. Successful exploitation allows unauthenticated remote attackers to execute arbitrary code on the web server, potentially leading to complete system compromise. This can result in unauthorized access to sensitive data, modification or deletion of website content, installation of backdoors or malware, and disruption of service. Organizations relying on Kali Forms for their WordPress sites risk data breaches, reputational damage, and operational downtime. Attackers could also leverage compromised servers to launch further attacks within the network or against other targets. Given WordPress's widespread use globally, the vulnerability could affect a large number of websites, including those of small businesses, enterprises, and critical infrastructure providers. The lack of authentication and user interaction requirements significantly lowers the barrier to exploitation, increasing the likelihood of attacks once exploit code becomes publicly available.

Until an official patch is released, organizations should take immediate steps to mitigate the risk. First, disable or deactivate the Kali Forms plugin on all WordPress installations if it is not essential. If the plugin is required, restrict access to the WordPress admin panel and form submission endpoints using web application firewalls (WAFs) or IP whitelisting to limit exposure to trusted users only. Employ strict input validation and sanitization at the web server or application firewall level to block suspicious payloads targeting the vulnerable functions. Monitor web server logs for unusual or suspicious requests that may indicate exploitation attempts. Regularly back up website data and configurations to enable rapid recovery in case of compromise. Additionally, maintain up-to-date WordPress core and plugins to reduce the attack surface. Security teams should prepare to apply patches promptly once they become available and consider deploying intrusion detection systems (IDS) to detect exploitation attempts. Engaging with the plugin vendor and following official security advisories is critical for timely remediation.