CVE Catalog

CVE-2026-11581

MediumCVSS 5.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

5th percentile — higher than 5% of all known CVEs

Summary

The Kali Forms WordPress plugin before 2.4.13 does not sanitize a form field's caption before outputting it as a column header on the admin form-entries screen. Users with Contributor-level access or above can inject JavaScript that executes in an administrator's session. A missing capability check in the post-duplication action allows the Contributor to publish the malicious form so an administrator renders it.

Risk Assessment

An attacker with low privileges can hijack an administrator's session, steal data, or spread malware within the WordPress admin panel.

Recommendation

Immediately update the Kali Forms plugin to version 2.4.13 or later. Restrict user roles with access to the form editor.

Original NVD description (English source)

The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13 does not sanitise a form field's caption before outputting it as a column header on the administrator form-entries screen, allowing users with Contributor-level access or above to store JavaScript that executes in an administrator's session. A missing capability check in the Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13's post-duplication action additionally lets the Contributor publish the malicious form so an administrator renders it.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS