CVE-2026-9107
MediumCVSS 6.4Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
The Kali Forms plugin for WordPress up to version 2.4.13 is vulnerable to Stored XSS via the 'meta[kaliforms_field_components]' parameter. Authenticated attackers with contributor-level access or higher can inject arbitrary scripts that execute when a user visits the compromised page.
Risk Assessment
The risk includes session hijacking, data theft, or malware distribution through script execution in the victim's browser context.
Recommendation
Update the Kali Forms plugin to the latest available version immediately. Additionally, restrict user privileges to the minimum necessary.
Original NVD description (English source)
The Kali Forms — Contact Form & Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'meta[kaliforms_field_components]' parameter in all versions up to, and including, 2.4.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

