{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1860", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-03T20:24:41.080Z", "datePublished": "2026-02-18T07:25:41.338Z", "dateUpdated": "2026-04-08T17:12:24.047Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:24.047Z"}, "affected": [{"vendor": "wpchill", "product": "Kali Forms \u2014 Contact Form & Drag-and-Drop Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.4.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the `get_items_permissions_check()` permission callback on the `/kaliforms/v1/forms/{id}` REST API endpoint only checking for the `edit_posts` capability without verifying that the requesting user has ownership or authorization over the specific form resource. This makes it possible for authenticated attackers, with Contributor-level access and above, to read form configuration data belonging to other users (including administrators) by enumerating form IDs. Exposed data includes form field structures, Google reCAPTCHA secret keys (if configured), email notification templates, and server paths."}], "title": "Kali Forms <= 2.4.8 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Form Data Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a1529c89-5c5e-4a2d-be31-b55d2907c9b6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.8/Inc/Backend/Rest/class-forms-rest-controller.php#L251"}, {"url": "https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.8/Inc/Backend/Rest/class-forms-rest-controller.php#L116"}, {"url": "https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.8/Inc/Backend/Rest/class-forms-rest-controller.php#L62"}, {"url": "https://plugins.trac.wordpress.org/changeset/3460047/kali-forms/trunk?contextall=1&old=3435823&old_path=%2Fkali-forms%2Ftrunk"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Youssef Elouaer"}], "timeline": [{"time": "2026-02-03T20:39:53.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-17T18:55:25.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T12:25:03.808659Z", "id": "CVE-2026-1860", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:52:12.224Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1860", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T12:25:03.808659Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:25:05.001Z"}}], "cna": {"title": "Kali Forms <= 2.4.8 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Form Data Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Youssef Elouaer"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "wpchill", "product": "Kali Forms \u2014 Contact Form & Drag-and-Drop Builder", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.4.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-03T20:39:53.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-17T18:55:25.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a1529c89-5c5e-4a2d-be31-b55d2907c9b6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.8/Inc/Backend/Rest/class-forms-rest-controller.php#L251"}, {"url": "https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.8/Inc/Backend/Rest/class-forms-rest-controller.php#L116"}, {"url": "https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.8/Inc/Backend/Rest/class-forms-rest-controller.php#L62"}, {"url": "https://plugins.trac.wordpress.org/changeset/3460047/kali-forms/trunk?contextall=1&old=3435823&old_path=%2Fkali-forms%2Ftrunk"}], "descriptions": [{"lang": "en", "value": "The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the `get_items_permissions_check()` permission callback on the `/kaliforms/v1/forms/{id}` REST API endpoint only checking for the `edit_posts` capability without verifying that the requesting user has ownership or authorization over the specific form resource. This makes it possible for authenticated attackers, with Contributor-level access and above, to read form configuration data belonging to other users (including administrators) by enumerating form IDs. Exposed data includes form field structures, Google reCAPTCHA secret keys (if configured), email notification templates, and server paths."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-18T07:25:41.338Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1860", "state": "PUBLISHED", "dateUpdated": "2026-02-18T12:52:12.224Z", "dateReserved": "2026-02-03T20:24:41.080Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T07:25:41.338Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the `get_items_permissions_check()` permission callback on the `/kaliforms/v1/forms/{id}` REST API endpoint only checking for the `edit_posts` capability without verifying that the requesting user has ownership or authorization over the specific form resource. This makes it possible for authenticated attackers, with Contributor-level access and above, to read form configuration data belonging to other users (including administrators) by enumerating form IDs. Exposed data includes form field structures, Google reCAPTCHA secret keys (if configured), email notification templates, and server paths."}, {"lang": "es", "value": "El plugin Kali Forms para WordPress es vulnerable a Referencia Directa Insegura a Objeto en todas las versiones hasta la 2.4.8, inclusive. Esto se debe a que el callback de permisos 'get_items_permissions_check()' en el endpoint de la API REST '/kaliforms/v1/forms/{id}' solo verifica la capacidad 'edit_posts' sin verificar que el usuario solicitante tenga la propiedad o autorizaci\u00f3n sobre el recurso de formulario espec\u00edfico. Esto permite a atacantes autenticados, con acceso de nivel Colaborador o superior, leer datos de configuraci\u00f3n de formularios pertenecientes a otros usuarios (incluidos los administradores) mediante la enumeraci\u00f3n de IDs de formulario. Los datos expuestos incluyen estructuras de campos de formulario, claves secretas de Google reCAPTCHA (si est\u00e1n configuradas), plantillas de notificaci\u00f3n por correo electr\u00f3nico y rutas del servidor."}], "id": "CVE-2026-1860", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-18T08:16:15.043", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.8/Inc/Backend/Rest/class-forms-rest-controller.php#L116"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.8/Inc/Backend/Rest/class-forms-rest-controller.php#L251"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.8/Inc/Backend/Rest/class-forms-rest-controller.php#L62"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3460047/kali-forms/trunk?contextall=1&old=3435823&old_path=%2Fkali-forms%2Ftrunk"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a1529c89-5c5e-4a2d-be31-b55d2907c9b6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.4.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Kali Forms \u2014 Contact Form & Drag-and-Drop Builder", "source": "cna", "vendor": "wpchill"}, "product": "kali_forms_\u2014_contact_form_&_drag-and-drop_builder", "vendor": "wpchill"}], "analysis": {"en": {"generated_at": "2026-04-16T17:07:17.449054+00:00", "value": {"mitigation_remediation": ["Update the Kali Forms plugin to the latest version that includes ownership checks on the REST endpoint.", "Restrict or disable access to the /kaliforms/v1/forms/{id} endpoint for non-administrative roles, otherwise add a custom capability check that verifies the form owner before returning data.", "Review existing forms for exposed keys and sensitive configuration, and remove or secure any sensitive data stored in form fields such as reCAPTCHA secrets."], "summary": {"action": "Patch", "impact": "Sensitive data exposure via Insecure Direct Object Reference"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Kali Forms plugin, version 2.4.8 or earlier. This includes all deployments of the \u201cwpchill:Kali Forms \u2014 Contact Form & Drag-and-Drop Builder\u201d plugin up to the mentioned release.", "description_and_impact": "The vulnerability allows an authenticated user with Contributor or higher privileges to enumerate form identifiers and read the configuration of any form via the /kaliforms/v1/forms/{id} REST endpoint. The permission check only verifies that the user can edit posts and does not confirm ownership, enabling disclosure of form field structures, Google reCAPTCHA secret keys, email notification templates, and server paths. This insecure direct object reference flaw, identified as CWE\u2011862, permits the exposure of sensitive configuration data.", "risk_and_exploitability": "The CVSS base score of 4.3 indicates moderate risk; the EPSS score is below 1%, implying the exploitation probability is low at present. The likely attack vector is via the REST API, where an attacker with Contributor-level access enumerates form IDs and retrieves sensitive data. No additional prerequisites beyond appropriate WordPress role permissions are mentioned in the description."}}}}, "created": "2026-02-18T10:32:28.880374+00:00", "updated": "2026-04-16T17:15:17.985726+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpchill", "wpchill$PRODUCT$kali_forms_\u2014_contact_form_&_drag-and-drop_builder"]}