CVE Catalog

CVE-2026-9107

MediumCVSS 6.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile — higher than 15% of all known CVEs

Summary

The Kali Forms plugin for WordPress up to version 2.4.13 is vulnerable to Stored XSS via the 'meta[kaliforms_field_components]' parameter. Authenticated attackers with contributor-level access or higher can inject arbitrary scripts that execute when a user visits the compromised page.

Risk Assessment

The risk includes session hijacking, data theft, or malware distribution through script execution in the victim's browser context.

Recommendation

Update the Kali Forms plugin to the latest available version immediately. Additionally, restrict user privileges to the minimum necessary.

Original NVD description (English source)

The Kali Forms — Contact Form & Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'meta[kaliforms_field_components]' parameter in all versions up to, and including, 2.4.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS