CVE-2026-11581
Received Received - Intake

Stored XSS in Kali Forms WordPress Plugin

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: WPScan

Description
The Kali Forms β€” Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13 does not sanitise a form field's caption before outputting it as a column header on the administrator form-entries screen, allowing users with Contributor-level access or above to store JavaScript that executes in an administrator's session. A missing capability check in the Kali Forms β€” Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13's post-duplication action additionally lets the Contributor publish the malicious form so an administrator renders it.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-11581
EUVD
EUVD-2026-40261

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpforms kali_forms to 2.4.13 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-11581 is a stored cross-site scripting (XSS) vulnerability in the Kali Forms WordPress plugin versions before 2.4.13.

The vulnerability occurs because the plugin does not sanitize the caption of a form field before displaying it as a column header on the administrator's form-entries screen.

Users with Contributor-level access or higher can inject malicious JavaScript code into these captions.

Additionally, a missing capability check allows Contributors to publish the malicious form by duplicating it, causing the malicious script to execute when an administrator views the form entries.

Impact Analysis

This vulnerability can allow an attacker with Contributor-level access to execute arbitrary JavaScript code in the context of an administrator's session.

Such execution can lead to session hijacking, unauthorized actions performed by the administrator, or other malicious activities within the WordPress admin interface.

Because the attacker can publish the malicious form, the attack can be triggered without the administrator's knowledge, increasing the risk of compromise.

Detection Guidance

This vulnerability can be detected by checking if your Kali Forms WordPress plugin version is prior to 2.4.13, as those versions are affected.

To detect exploitation attempts, you can look for JavaScript payloads injected into form field captions, especially in forms created or duplicated by users with Contributor-level access.

Since the malicious JavaScript executes when an administrator views the form entries screen, monitoring administrator access logs for suspicious activity or unexpected script execution may help.

Specific commands are not provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to update the Kali Forms WordPress plugin to version 2.4.13 or later, where the vulnerability has been fixed.

Additionally, restrict Contributor-level users from creating or publishing forms until the update is applied to prevent exploitation.

Administrators should be cautious when viewing form entries from untrusted contributors to avoid executing malicious JavaScript.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11581. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart