CVE-2026-11579 in Kali Forms Plugininfo

Summary

by MITRE • 07/15/2026

The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not verify that a file upload is made against an existing form configured with a file-upload field, accepting uploads regardless of whether any such form exists, which allows unauthenticated users to upload files to the WordPress Media Library; the uploads are limited to WordPress's default-allowed MIME types, so this does not lead to code execution.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability in the Kali Forms WordPress plugin affects versions prior to 2.4.17 and represents a critical access control flaw that undermines the security of file upload functionality within the plugin's drag-and-drop builder interface. This issue stems from insufficient validation mechanisms that fail to verify whether uploaded files are associated with legitimate form configurations containing file-upload fields, creating an unauthorized access vector for unauthenticated users to bypass normal upload restrictions.

The technical implementation flaw occurs at the plugin's file upload endpoint where the system does not perform proper form context validation before processing file uploads. Attackers can exploit this by directly submitting files to the plugin's upload handler without requiring any valid form configuration or authentication credentials, effectively circumventing the intended security boundaries that should restrict file uploads to specific forms with designated file upload fields.

This vulnerability operates under the principle of improper input validation and lacks proper authorization checks, which aligns with CWE-284 access control weaknesses and can be categorized as an insecure direct object reference attack pattern. The operational impact extends beyond simple unauthorized file uploads, as it allows malicious actors to populate the WordPress media library with arbitrary files without any form of verification or authentication. While the upload process is constrained to WordPress's default permitted MIME types which prevents code execution, the sheer volume and potential content of uploaded files can still cause significant operational issues including storage exhaustion, performance degradation, and potential information disclosure through metadata contained in uploaded files.

The security implications of this vulnerability extend into multiple attack vectors within the MITRE ATT&CK framework, particularly under the initial access category where adversaries can establish persistent presence through unauthorized file uploads. The lack of authentication requirements means that any internet-facing WordPress instance using the vulnerable plugin becomes immediately exploitable by attackers without requiring prior access or credentials. Organizations should implement immediate mitigation strategies including plugin updates to version 2.4.17 or later, which addresses the validation gap through proper form context verification before allowing file uploads.

Additional defensive measures should include implementing rate limiting on upload endpoints to prevent abuse, configuring appropriate file type restrictions beyond WordPress defaults, and monitoring media library access patterns for unusual activity that might indicate exploitation attempts. The vulnerability demonstrates the critical importance of input validation and authorization checks in web applications, particularly when handling user-supplied data through file upload mechanisms. Organizations should also consider implementing network-level protections such as web application firewalls to detect and block unauthorized upload attempts while maintaining visibility into all file upload activities within their WordPress environments.

Responsible

WPScan

Reservation

06/08/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!