CVE-2020-36712
📋 TL;DR
The Kali Forms WordPress plugin up to version 2.1.1 contains an unauthenticated arbitrary post deletion vulnerability. Attackers can delete any WordPress post or page without authentication by exploiting the kaliforms_form_delete_uploaded_file function. All WordPress sites using vulnerable versions of Kali Forms are affected.
💻 Affected Systems
- WordPress Kali Forms Plugin
📦 What is this software?
Kali Forms by Kaliforms
⚠️ Risk & Real-World Impact
Worst Case
Complete website defacement or destruction through deletion of all posts and pages, causing business disruption and data loss.
Likely Case
Selective deletion of important content pages, causing operational disruption and requiring restoration from backups.
If Mitigated
No impact if plugin is patched or removed, or if proper web application firewalls block the exploit.
🎯 Exploit Status
Simple HTTP request with id parameter can trigger the vulnerability. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.2 and later
Vendor Advisory: https://wordpress.org/plugins/kali-forms/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Kali Forms and click 'Update Now'. 4. Verify version is 2.1.2 or higher.
🔧 Temporary Workarounds
Disable Kali Forms Plugin
allTemporarily deactivate the vulnerable plugin until patched
wp plugin deactivate kali-forms
Web Application Firewall Rule
allBlock requests to kaliforms_form_delete_uploaded_file endpoint
ModSecurity rule: SecRule REQUEST_URI "@contains kaliforms_form_delete_uploaded_file" "id:1001,phase:1,deny,status:403"
🧯 If You Can't Patch
- Remove Kali Forms plugin completely if not essential
- Implement strict network segmentation and limit external access to WordPress admin functions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Kali Forms version ≤2.1.1Check Version:
wp plugin list --name=kali-forms --field=versionVerify Fix Applied:
Confirm Kali Forms version is ≥2.1.2 in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with action=kaliforms_form_delete_uploaded_file and id parameter
- Unexpected post/page deletions in WordPress logs
Network Indicators:
- Unusual spikes in POST requests to admin-ajax.php from unauthenticated sources
SIEM Query:
source="wordpress.log" AND "kaliforms_form_delete_uploaded_file" AND NOT user_id=*🔗 References
- https://blog.nintechnet.com/wordpress-kali-forms-plugin-fixed-multiple-vulnerabilities/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/92644676-add4-415c-9a1a-c6616108688d?source=cve
- https://blog.nintechnet.com/wordpress-kali-forms-plugin-fixed-multiple-vulnerabilities/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/92644676-add4-415c-9a1a-c6616108688d?source=cve
