Attack Vectors

CVE-2026-3584 is a Critical vulnerability (CVSS 9.8, vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting the WordPress plugin Kali Forms — Contact Form & Drag-and-Drop Builder (slug: kali-forms) in versions up to and including 2.4.9.

The issue is an unauthenticated remote code execution risk via the plugin’s form_process functionality. Practically, that means an external attacker can target a public-facing form endpoint without needing a login, and attempt to execute code on the underlying web server.

Official CVE record: https://www.cve.org/CVERecord?id=CVE-2026-3584

Security Weakness

According to the published advisory, the weakness stems from how the plugin handles user-supplied form data during processing. Specifically, the plugin’s prepare_post_data logic maps user-controlled keys into internal placeholder storage, and later uses call_user_func on those placeholder values.

When user input can influence what gets executed, it creates a direct path to remote code execution. In business terms, this is a breakdown in input handling and safe execution controls within the request lifecycle of a public form.

Reference source: Wordfence vulnerability entry

Technical or Business Impacts

If exploited, this vulnerability can allow attackers to run code on the server hosting your WordPress site. That can translate into outcomes such as website defacement, creation of hidden admin accounts, malware injection (including SEO spam), data theft, and service disruption (including downtime during incident response and recovery).

For marketing leaders and executives, the highest-risk impacts typically include: loss of customer trust after a visible compromise, lead-gen disruption if forms are taken offline, brand damage from malicious redirects or spam pages, potential compliance exposure if personal data is accessed, and unplanned costs for forensics, cleanup, and increased monitoring.

Remediation: Update Kali Forms to version 2.4.10 or a newer patched version as soon as possible. Because this is unauthenticated and Critical, treat it as an emergency change: prioritize production sites first, then staging/secondary properties, and confirm the plugin version after deployment.

Similar attacks (real-world examples): Unauthenticated or easily reachable WordPress plugin flaws have been used widely in past incidents, including CVE-2020-25213 (WordPress File Manager plugin) and CVE-2019-9978 (Social Warfare plugin), where attackers leveraged plugin weaknesses to compromise sites at scale.