Which Kali Forms — Contact Form & Drag-and-Drop Builder CVEs are tracked?

Kali Forms — Contact Form & Drag-and-Drop Builder tracked CVEs include CVE-2026-3584, CVE-2020-36717, CVE-2020-36712, CVE-2024-1217, and CVE-2020-36720.

Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 11 known issues Latest disclosed Mar 20, 2026

Kali Forms — Contact Form & Drag-and-Drop Builder Vulnerabilities

Q: How many Kali Forms — Contact Form & Drag-and-Drop Builder vulnerabilities have patch guidance?

11 of 11 tracked Kali Forms — Contact Form & Drag-and-Drop Builder records include a published patch path.

Review known vulnerability records for the WordPress plugin Kali Forms — Contact Form & Drag-and-Drop Builder (`kali-forms`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-3584, CVE-2026-1860 and CVE-2025-3201, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Mar 20, 2026

Priority CVE Quick Links

Fast paths into Kali Forms — Contact Form & Drag-and-Drop Builder CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2026-3584 Critical 2.4.10

CVE-2026-3584 Kali Forms — Contact Form & Drag-and-Drop Builder Remote Code Execution

Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process

CVE-2020-36717 High 2.1.2

CVE-2020-36717 Kali Forms — Contact Form & Drag-and-Drop Builder Cross-Site Request Forgery

Kali Forms <= 2.1.1 - Cross-Site Request Forgery

CVE-2020-36712 High 2.1.2

CVE-2020-36712 Kali Forms — Contact Form & Drag-and-Drop Builder Vulnerability

Kali Forms <= 2.1.1 - Unauthenticated Arbitrary Post Deletion

CVE-2024-1217 High 2.3.42

CVE-2024-1217 Kali Forms — Contact Form & Drag-and-Drop Builder Vulnerability

Contact Form builder with drag & drop for WordPress – Kali Forms <= 2.3.41 - Missing Authorization to Arbitrary Plugin Deactivation

CVE-2020-36720 High 2.1.2

CVE-2020-36720 Kali Forms — Contact Form & Drag-and-Drop Builder Vulnerability

Kali Forms <= 2.1.1 - Missing Authorization to Settings Update

CVE-2024-22305 Medium 2.3.37

CVE-2024-22305 Kali Forms — Contact Form & Drag-and-Drop Builder Authorization Bypass

Contact Form builder with drag & drop - Kali Forms <= 2.3.36 - Insecure Direct Object Reference

CVE-2023-45275 Medium 2.3.29

CVE-2023-45275 Kali Forms — Contact Form & Drag-and-Drop Builder Vulnerability

Contact Form builder with drag & drop - Kali Forms <= 2.3.28 - Missing Authorization via get_log

CVE-2025-3201 Medium 2.4.3

CVE-2025-3201 Kali Forms — Contact Form & Drag-and-Drop Builder Stored Cross-Site Scripting

Contact Form builder with drag & drop for WordPress – Kali Forms <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Kali Forms — Contact Form & Drag-and-Drop Builder so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

11 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

1 critical and 4 high severity findings.

Recent CVEs

CVE-2026-3584, CVE-2026-1860 and CVE-2025-3201

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-3584 Critical Patch path listed

CVE-2026-3584: Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process

The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data'...

Published

Mar 20, 2026

Patch Status

2.4.10

Open CVE-2026-3584 Report

CVE-2026-1860 Medium Patch path listed

CVE-2026-1860: Kali Forms <= 2.4.8 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Form Data Exposure

The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the `get_items_permissions_check()` permissi...

Published

Feb 17, 2026

Patch Status

2.4.9

Open CVE-2026-1860 Report

CVE-2025-3201 Medium Patch path listed

CVE-2025-3201: Contact Form builder with drag & drop for WordPress – Kali Forms <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.2 due to insu...

Published

Apr 25, 2025

Patch Status

2.4.3

Open CVE-2025-3201 Report

Known Vulnerabilities

Reports for Kali Forms — Contact Form & Drag-and-Drop Builder

Sorted by latest disclosure date so newly published issues surface first.

Plugin Critical Patched: Yes CVE-2026-3584

CVE-2026-3584: Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process

The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined...

Published

Mar 20, 2026

Patched Release

2.4.10

Affected Versions

Versions up to 2.4.9

Next Step

Update to 2.4.10 or newer if supported.

Open CVE-2026-3584 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-1860

CVE-2026-1860: Kali Forms <= 2.4.8 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Form Data Exposure

The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the `get_items_permissions_check()` permission callback on the `/kaliforms/v1/forms/{id}` REST API endpoint only checking for the `edi...

Published

Feb 17, 2026

Patched Release

2.4.9

Affected Versions

Versions up to 2.4.8

Next Step

Update to 2.4.9 or newer if supported.

Open CVE-2026-1860 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-3201

CVE-2025-3201: Contact Form builder with drag & drop for WordPress – Kali Forms <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

Published

Apr 25, 2025

Patched Release

2.4.3

Affected Versions

Versions up to 2.4.2

Next Step

Update to 2.4.3 or newer if supported.

Open CVE-2025-3201 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-1218

CVE-2024-1218: Contact Form builder with drag & drop for WordPress – Kali Forms <= 2.3.41 - Missing Authorization

The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized access and modification of data via API due to an inconsistent capability check on several REST endpoints in all versions up to, and including, 2.3.41. This mak...

Published

Feb 19, 2024

Patched Release

2.3.42

Affected Versions

Versions up to 2.3.41

Next Step

Update to 2.3.42 or newer if supported.

Open CVE-2024-1218 Report Open CVE Reference

Plugin High Patched: Yes CVE-2024-1217

CVE-2024-1217: Contact Form builder with drag & drop for WordPress – Kali Forms <= 2.3.41 - Missing Authorization to Arbitrary Plugin Deactivation

The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the await_plugin_deactivation function in all versions up to, and including, 2.3.41. This makes it poss...

Published

Feb 19, 2024

Patched Release

2.3.42

Affected Versions

Versions up to 2.3.41

Next Step

Update to 2.3.42 or newer if supported.

Open CVE-2024-1217 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-22305

CVE-2024-22305: Contact Form builder with drag & drop - Kali Forms <= 2.3.36 - Insecure Direct Object Reference

The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.3.36 due to missing validation on a user controlled key. This makes it possible for unauthenticated...

Published

Jan 17, 2024

Patched Release

2.3.37

Affected Versions

Versions up to 2.3.36

Next Step

Update to 2.3.37 or newer if supported.

Open CVE-2024-22305 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-46083

CVE-2023-46083: Contact Form builder with drag & drop - Kali Forms <= 2.3.27 - Missing Authorization via Contact Form

The Contact Form builder with drag & drop - Kali Forms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing check on the run_form_process_checks function in versions up to, and including, 2.3.27. This makes it possible for unauthenticated attac...

Published

Oct 16, 2023

Patched Release

2.3.28

Affected Versions

Versions up to 2.3.27

Next Step

Update to 2.3.28 or newer if supported.

Open CVE-2023-46083 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-45275

CVE-2023-45275: Contact Form builder with drag & drop - Kali Forms <= 2.3.28 - Missing Authorization via get_log

The Contact Form builder with drag & drop - Kali Forms plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the get_log function in versions up to, and including, 2.3.28. This makes it possible for authenticated attackers, with subscriber...

Published

Oct 06, 2023

Patched Release

2.3.29

Affected Versions

Versions up to 2.3.28

Next Step

Update to 2.3.29 or newer if supported.

Open CVE-2023-45275 Report Open CVE Reference

Plugin High Patched: Yes CVE-2020-36720

CVE-2020-36720: Kali Forms <= 2.1.1 - Missing Authorization to Settings Update

The Kali Forms plugin for WordPress is vulnerable to Authenticated Options Change in versions up to, and including, 2.1.1. This is due to the update_option lacking proper authentication checks. This makes it possible for any authenticated attacker to change (or delete) the plugin...

Published

Aug 21, 2020

Patched Release

2.1.2

Affected Versions

Versions before 2.1.2

Next Step

Update to 2.1.2 or newer if supported.

Open CVE-2020-36720 Report Open CVE Reference

Plugin High Patched: Yes CVE-2020-36712

CVE-2020-36712: Kali Forms <= 2.1.1 - Unauthenticated Arbitrary Post Deletion

The Kali Forms plugin for WordPress is vulnerable to Unauthenticated Arbitrary Post Deletion in versions up to, and including, 2.1.1. This is due to the kaliforms_form_delete_uploaded_file function lacking any privilege or user protections. This makes it possible for unauthentica...

Published

Aug 21, 2020

Patched Release

2.1.2

Affected Versions

Versions before 2.1.2

Next Step

Update to 2.1.2 or newer if supported.

Open CVE-2020-36712 Report Open CVE Reference

Plugin High Patched: Yes CVE-2020-36717

CVE-2020-36717: Kali Forms <= 2.1.1 - Cross-Site Request Forgery

The Kali Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.1. This is due to incorrect nonce handling throughout the plugin's function. This makes it possible for unauthenticated attackers to access the plugin's administr...

Published

Aug 21, 2020

Patched Release

2.1.2

Affected Versions

Versions before 2.1.2

Next Step

Update to 2.1.2 or newer if supported.

Open CVE-2020-36717 Report Open CVE Reference