Kali Forms plugin for WordPress: unauthorized access to form data

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.3

Kali Forms plugin for WordPress: unauthorized access to form data

CVE-2026-1860

Summary

The Kali Forms plugin for WordPress has a security issue that allows users with Contributor-level access to access and view form data that belongs to other users, including administrators. This could potentially expose sensitive information such as form field structures, Google reCAPTCHA secret keys, and email notification templates. To fix this, update the Kali Forms plugin to version 2.4.9 or later.

Original title

Original description

The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the `get_items_permissions_check()` permission callback on the `/kaliforms/v1/forms/{id}` REST API endpoint only checking for the `edit_posts` capability without verifying that the requesting user has ownership or authorization over the specific form resource. This makes it possible for authenticated attackers, with Contributor-level access and above, to read form configuration data belonging to other users (including administrators) by enumerating form IDs. Exposed data includes form field structures, Google reCAPTCHA secret keys (if configured), email notification templates, and server paths.

nvd CVSS3.1 4.3

Vulnerability type

CWE-862 Missing Authorization

Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026