CVE-2026-3584 — AI Deep Analysis Summary

🚨 **Essence**: Remote Code Execution (RCE) in Kali Forms. 💥 **Consequences**: Attackers can inject and execute arbitrary PHP code on the server. This leads to full server compromise, data theft, and site defacement.

🛡️ **CWE-94**: Improper Control of Generation of Code (Code Injection). 🔍 **Flaw**: The `form_process` function uses `prepare_post_data` to map user-supplied keys directly to internal placeholders.…

📦 **Vendor**: wpchill. 📦 **Product**: Kali Forms — Contact Form & Drag-and-Drop Builder. 📉 **Affected Versions**: Version **2.4.9 and earlier**. ✅ **Fixed**: Version 2.4.9+ (implied by '2.4.9 and earlier').

👑 **Privileges**: Full Server Control (Root/Admin). 📂 **Data**: Access to all database contents, user credentials, and server files. ⚡ **Impact**: High (CVSS 9.8).…

🔓 **Auth Required**: **None**. Unauthenticated attackers can exploit this. 🌐 **Network**: Remote (AV:N). 🎯 **Complexity**: Low (AC:L). No user interaction needed (UI:N). Extremely easy to exploit.

🔥 **Public Exploit**: **Yes**. A Nuclei template is available on GitHub (projectdiscovery/nuclei-templates). 🌍 **Wild Exploitation**: High risk due to simplicity and public PoC availability.

🔍 **Self-Check**: Scan for Kali Forms plugin version <= 2.4.9. 🧪 **Test**: Use Nuclei template `CVE-2026-3584.yaml`. 📝 **Manual**: Check if `form_process` handles untrusted input safely.…

🛠️ **Official Fix**: Yes. Update to **Kali Forms version 2.4.9 or later**. 📢 **Source**: WordPress plugin repository changeset 3487024. 📅 **Published**: March 20, 2026.

🚧 **Workaround**: If patching is delayed, **disable the Kali Forms plugin** immediately. 🚫 **Block**: Restrict access to `/wp-admin/` and form endpoints via WAF rules.…

🚨 **Priority**: **CRITICAL (P1)**. 📉 **CVSS**: 9.8 (Critical). ⚡ **Urgency**: Patch immediately. Unauthenticated RCE is a top-tier threat. Do not delay remediation.