Kali Forms unauthenticated RCE is under active exploitation

TL;DR — A critical unauthenticated RCE in the WordPress plugin Kali Forms is being exploited in the wild; sites on <= 2.4.9 should move to a patched release (2.4.10 or later).

What happened

Kali Forms is a WordPress contact-form plugin with a drag-and-drop builder that processes untrusted form submissions via a public AJAX endpoint.

Wordfence published incident-driven coverage of active exploitation for a critical unauthenticated remote code execution vulnerability (CVE-2026-3584) in Kali Forms. The issue is reachable through the plugin’s form submission handling (the form_process path), where attacker-controlled keys can be mapped into internal placeholder storage and later executed via call_user_func, enabling code execution.

Wordfence’s write-up notes attackers quickly weaponized the bug after disclosure, and reports large-scale exploitation activity (hundreds of thousands of blocked attempts). This matters because WordPress plugin RCE remains a reliable “one-request-to-foothold” path on internet-facing sites, and exploitation volume tends to stay high until long-tail sites update.

Who is impacted

• WordPress sites running the Kali Forms — Contact Form & Drag-and-Drop Builder plugin.
• Affected versions: <= 2.4.9.
• Highest risk: internet-exposed WordPress sites that allow unauthenticated access to admin-ajax.php (typical default) and have Kali Forms installed.

Operational note from the report: Wordfence describes an exploitation pattern where attackers can use the primitive to obtain admin cookies (e.g., by invoking authentication-related WordPress functions) and then pivot to persistent compromise (such as modifying theme files).

What to do now

• Follow vendor remediation guidance and apply the patched release.

  "Update to version 2.4.10, or a newer patched version"

• Inventory your WordPress fleet for the kali-forms plugin and prioritize public-facing sites first (including staging sites that are still internet-reachable).
• If you suspect exposure, review web logs for POST requests to wp-admin/admin-ajax.php invoking the Kali Forms action handler (the report includes an example request shape), and investigate for follow-on admin activity (new admin users, modified themes/plugins, unexpected functions.php edits).
• If you run Wordfence, confirm your sites are both patched and receiving firewall rules; the report calls out different protection timing for paid vs free tiers.