CVE-2026-1860 – The Kali Forms WordPress plugin has an Insecure... (How to Fix)

Q: What is the severity of CVE-2026-1860?

CVE-2026-1860 has a CVSS score of 4.3 (MEDIUM). The Kali Forms WordPress plugin has an Insecure Direct Object Reference vulnerability that allows authenticated users with Contributor-level access or higher to access form configuration data belonging to other users by enumerating form IDs. This exposes sensitive information including form structures, Google reCAPTCHA secret keys, email templates, and server paths. All WordPress sites using Kali Forms versions up to 2.4.8 are affected.

📋 TL;DR

The Kali Forms WordPress plugin has an Insecure Direct Object Reference vulnerability that allows authenticated users with Contributor-level access or higher to access form configuration data belonging to other users by enumerating form IDs. This exposes sensitive information including form structures, Google reCAPTCHA secret keys, email templates, and server paths. All WordPress sites using Kali Forms versions up to 2.4.8 are affected.

💻 Affected Systems

Products:

Kali Forms WordPress Plugin

Versions: All versions up to and including 2.4.8

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Kali Forms plugin and at least one authenticated user with Contributor role or higher.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal Google reCAPTCHA secret keys to bypass bot protection, access sensitive form configurations, and potentially use exposed server paths for further attacks.

🟠

Likely Case

Unauthorized access to form configurations and sensitive data belonging to other users, potentially exposing business logic and notification templates.

🟢

If Mitigated

Limited impact if proper access controls and monitoring are in place, though sensitive data exposure still occurs.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward through REST API enumeration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.9 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3460047/kali-forms/trunk?contextall=1&old=3435823&old_path=%2Fkali-forms%2Ftrunk

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Kali Forms and click 'Update Now'. 4. Alternatively, download version 2.4.9+ from WordPress plugin repository and replace the plugin files.

🔧 Temporary Workarounds

Disable REST API endpoint

all

Remove or restrict access to the vulnerable REST API endpoint

Add to theme's functions.php or custom plugin: remove_action('rest_api_init', 'KaliForms\Inc\Backend\Rest\Forms_REST_Controller::register_routes');

Restrict user roles

all

Limit users with Contributor role or higher

🧯 If You Can't Patch

Implement network-level restrictions to block access to /wp-json/kaliforms/v1/forms/* endpoints
Enable detailed logging and monitoring of REST API access patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for Kali Forms version. If version is 2.4.8 or lower, the site is vulnerable.

Check Version:

wp plugin list --name=kali-forms --field=version (if WP-CLI installed)

Verify Fix Applied:

After updating, verify Kali Forms version is 2.4.9 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Multiple GET requests to /wp-json/kaliforms/v1/forms/ with different numeric IDs
Unauthorized access attempts from Contributor-level users

Network Indicators:

HTTP 200 responses to /wp-json/kaliforms/v1/forms/{id} from non-admin users
Pattern of sequential form ID requests

SIEM Query:

source="wordpress.log" AND uri="/wp-json/kaliforms/v1/forms/*" AND user_role IN ("contributor","author","editor")

📊 Metadata

CVE ID: CVE-2026-1860

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-862

Published: February 18, 2026

Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1860, you might also want to check these: