CVE-2026-1860 in Kali Forms Plugin
Summary
by MITRE • 02/18/2026
The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the `get_items_permissions_check()` permission callback on the `/kaliforms/v1/forms/{id}` REST API endpoint only checking for the `edit_posts` capability without verifying that the requesting user has ownership or authorization over the specific form resource. This makes it possible for authenticated attackers, with Contributor-level access and above, to read form configuration data belonging to other users (including administrators) by enumerating form IDs. Exposed data includes form field structures, Google reCAPTCHA secret keys (if configured), email notification templates, and server paths.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/18/2026
The vulnerability identified as CVE-2026-1860 affects the Kali Forms plugin for WordPress, presenting a critical Insecure Direct Object Reference (IDOR) flaw that has been present in all versions up to and including 2.4.8. This security weakness fundamentally undermines the access control mechanisms implemented by the plugin's REST API endpoint, creating a significant risk for WordPress installations that rely on this form management solution. The vulnerability stems from inadequate authorization checks within the plugin's permission callback implementation, specifically in the `get_items_permissions_check()` function that governs access to the `/kaliforms/v1/forms/{id}` endpoint.
The technical flaw manifests when the plugin fails to validate whether a requesting user possesses legitimate ownership or authorization over a specific form resource before granting access to its configuration data. This oversight allows authenticated users with Contributor-level privileges or higher to exploit the API endpoint by simply enumerating form IDs, bypassing the intended access controls that should restrict data access to only those users who own or have explicit authorization for particular forms. The vulnerability operates at the application layer and specifically targets the REST API architecture, making it particularly dangerous as it leverages the legitimate API functionality to gain unauthorized access to sensitive information.
The operational impact of this vulnerability extends far beyond simple data exposure, as it provides attackers with access to highly sensitive configuration data that could facilitate further exploitation attempts. The exposed information includes comprehensive form field structures that reveal the types of data being collected, Google reCAPTCHA secret keys that could be used for credential stuffing attacks or to bypass CAPTCHA protections on other services, email notification templates that might contain sensitive data handling procedures, and server paths that could be used for additional reconnaissance activities. This comprehensive data exposure creates a significant risk for organizations relying on the plugin, as it provides attackers with valuable intelligence for planning more sophisticated attacks.
From a cybersecurity perspective, this vulnerability aligns with CWE-284, which describes improper access control mechanisms, and represents a clear violation of the principle of least privilege that should govern all API access controls. The ATT&CK framework categorizes this issue under privilege escalation and credential access tactics, as the vulnerability allows attackers to escalate their privileges through information gathering and potentially use the exposed credentials for further compromise. The fact that this vulnerability affects users with Contributor-level access demonstrates how even seemingly limited user roles can be exploited to gain unauthorized access to sensitive organizational data, highlighting the importance of proper access control implementation at all privilege levels.
Organizations utilizing the Kali Forms plugin should immediately implement mitigations including updating to the latest version of the plugin where the vulnerability has been addressed, implementing additional access controls through custom WordPress capabilities, and conducting comprehensive audits of exposed form data to identify any potential compromise. Network monitoring should be enhanced to detect unusual API access patterns, particularly around form enumeration activities, while administrators should review user permissions and consider implementing role-based access controls that restrict form access based on user ownership. The vulnerability also underscores the critical importance of regular security assessments of third-party plugins and the need for implementing robust API security measures that go beyond basic capability checks to include proper resource ownership verification.