CVE-2026-11580 in Kali Forms Plugin
Summary
by MITRE • 07/15/2026
The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not perform a per-object capability check in its post-duplication AJAX action, allowing users with Contributor-level access or above to duplicate any post (regardless of owner, post type, or status) into a published post they own and read its private post metadata, including secrets stored by other Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
The vulnerability in the Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin affects versions prior to 2.4.17 and represents a critical authorization flaw that undermines the fundamental security model of WordPress content management systems. This issue stems from the absence of proper capability checks within the post duplication functionality, specifically during the AJAX post-duplication action. The flaw allows users with Contributor-level privileges or higher to manipulate the plugin's core functionality in ways that should be restricted to authorized administrators or content owners.
The technical implementation of this vulnerability occurs through a missing authorization check mechanism that should validate whether a user has the appropriate permissions to duplicate posts across different ownership boundaries. When a user with Contributor access or above invokes the duplication function, the system fails to verify if the target post belongs to them or if they possess sufficient privileges to modify it. This oversight creates an arbitrary post duplication scenario where malicious actors can copy any existing post regardless of its original owner, post type, or current status.
The operational impact of this vulnerability extends beyond simple unauthorized content manipulation and presents significant data exposure risks within WordPress environments. Since the duplicated posts maintain their original metadata structure, users with elevated privileges can access private post information including sensitive configuration details, secret keys, and other confidential data that may have been stored within the plugin's metadata fields. This breach of data confidentiality creates potential attack vectors for privilege escalation and information gathering activities that could compromise entire WordPress installations.
The vulnerability aligns with CWE-284 (Improper Access Control) and represents a classic example of insufficient authorization checks within web applications, particularly affecting content management systems where user roles and permissions are critical for maintaining security boundaries. From an ATT&CK framework perspective, this issue maps to privilege escalation techniques where attackers leverage existing permissions to gain access to restricted resources, potentially leading to more severe compromises including full administrative control of affected WordPress installations.
Organizations should implement immediate mitigations including updating to version 2.4.17 or later, which addresses the missing capability checks in the post duplication functionality. Administrators should also review user roles and capabilities within their WordPress installations, ensuring that only trusted users have Contributor-level access or higher. Additional protective measures include implementing network-level restrictions on AJAX endpoints, monitoring for unusual duplication activities, and conducting regular security audits of installed plugins to identify similar authorization flaws. The vulnerability demonstrates the critical importance of proper input validation and capability verification in web applications, particularly when dealing with user-generated content manipulation features that could be exploited across different user roles and post ownership boundaries.