Description
The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13 does not sanitise a form field's caption before outputting it as a column header on the administrator form-entries screen, allowing users with Contributor-level access or above to store JavaScript that executes in an administrator's session. A missing capability check in the Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13's post-duplication action additionally lets the Contributor publish the malicious form so an administrator renders it.
Published: 2026-06-30
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpchill
Wpchill kali Forms — Contact Form & Drag-and-drop Builder
Vendors & Products Wordpress
Wordpress wordpress
Wpchill
Wpchill kali Forms — Contact Form & Drag-and-drop Builder

Tue, 30 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285
CWE-79

Tue, 30 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 30 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 30 Jun 2026 07:15:00 +0000

Type Values Removed Values Added
Description The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13 does not sanitise a form field's caption before outputting it as a column header on the administrator form-entries screen, allowing users with Contributor-level access or above to store JavaScript that executes in an administrator's session. A missing capability check in the Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13's post-duplication action additionally lets the Contributor publish the malicious form so an administrator renders it.
Title Kali Forms < 2.4.13 - Contributor+ Stored XSS via Form Field Caption
References

Subscriptions

Wordpress Wordpress
Wpchill Kali Forms — Contact Form & Drag-and-drop Builder
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-30T12:58:54.616Z

Reserved: 2026-06-08T11:58:11.924Z

Link: CVE-2026-11581

cve-icon Vulnrichment

Updated: 2026-06-30T12:58:50.516Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T09:45:03Z

Weaknesses