Wordfence Blog

Attackers Actively Exploiting Critical Vulnerability in Kali Forms Plugin

István Márton · 2026-04-13 · Read original ↗

ATT&CK techniques detected

4 predictions

T1190Exploit Public-Facing Application

96%

“activity or accounts on your site, and you are running a vulnerable version of the software. conclusion in today ’ s article, we covered the attack data for a critical - severity remote code execution vulnerability in the kali forms plugin, which could be leveraged to achieve aut…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1190Exploit Public-Facing Application

74%

“attackers actively exploiting critical vulnerability in kali forms plugin on march 2nd, 2026, we received a submission through our bug bounty program for a remote code execution vulnerability in kali forms, a wordpress plugin with more than 10, 000 active installations. this vuln…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1190Exploit Public-Facing Application

65%

“updated with the latest patched version of kali forms, version 2. 4. 10 at the time of this writing, as soon as possible. vulnerability summary from wordfence intelligence kali forms < = 2. 4. 9 - unauthenticated remote code execution via form _ process 9. 8 cvss rating 9. 8 ( cr…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1071.001Web Protocols

40%

“66ddddb2b7 & data [ entrycounter ] = wp _ set _ auth _ cookie wordfence firewall the following graphic demonstrates the steps to exploitation an attacker might take and at which point the wordfence firewall would block an attacker from successfully exploiting the vulnerability. t…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

On March 2nd, 2026, we received a submission through our Bug Bounty Program for a Remote Code Execution vulnerability in Kali Forms, a WordPress plugin with more than 10,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to execute code on the server. The vendor released the patched version on March 20th, 2026, and we originally disclosed this vulnerability in the Wordfence Intelligence vulnerability database on the same day. Our records indicate that attackers started exploiting the issue the same day, on March 20th, 2026. The Wordfence Firewall has already blocked over 312,200 exploit attempts targeting this vulnerability.

The post Attackers Actively Exploiting Critical Vulnerability in Kali Forms Plugin appeared first on Wordfence.