Attack Vectors

Medium severity vulnerability (CVSS 4.3) in Kali Forms — Contact Form & Drag-and-Drop Builder (slug: kali-forms) affects all versions up to 2.4.8. It can be exploited remotely over the internet without user interaction.

The primary attack path is an authenticated user (Contributor-level or higher) abusing a WordPress REST API endpoint to access form data they should not be able to view. The risk increases in organizations that grant multiple internal users, agencies, contractors, or freelancers Contributor+ access to manage content.

An attacker could potentially enumerate form IDs and retrieve form configuration data for forms owned by other users, including administrators. This is a classic “authenticated but unauthorized access” scenario that can slip through role-based access controls when ownership checks are missing.

Security Weakness

This issue is an Insecure Direct Object Reference (IDOR) vulnerability. In Kali Forms versions <= 2.4.8, the permission callback for the /kaliforms/v1/forms/{id} REST API endpoint checks whether the requester has the edit_posts capability, but does not verify whether the requester is authorized to access the specific form resource identified by {id}.

As a result, a user who is allowed to edit posts (such as a Contributor) may still be able to access form configuration data they do not own and are not intended to see, simply by requesting a different form ID.

Remediation is straightforward: update Kali Forms to version 2.4.9 or newer, which includes the patch for CVE-2026-1860.

Technical or Business Impacts

For marketing and business leaders, the key risk is unauthorized exposure of sensitive form configuration data. Depending on how your forms are built, configuration data may reveal internal workflows, campaign logic, embedded third-party integration details, or other operational information that should be limited to specific teams.

From a business-risk perspective, this can lead to data governance and compliance concerns, particularly if internal access is widely distributed across departments or external partners. Even “read-only” exposure can trigger incident response obligations if sensitive information is revealed to an unauthorized party.

Operationally, this vulnerability also increases the risk of insider misuse or unintended access by well-meaning users who have legitimate WordPress accounts but should not have cross-team visibility into all forms. For organizations with multiple brands, regions, or regulated lines of business, that separation of access is often an explicit control requirement.

Similar Attacks

IDOR and broken access control issues are among the most common real-world web application failures. They are frequently exploited to access other users’ records when object-level authorization is missing. For broader context, see these well-known references and examples:

OWASP Top 10 (2021) A01: Broken Access Control

Verizon Data Breach Investigations Report (DBIR)

MITRE CWE-639: Authorization Bypass Through User-Controlled Key