Home / Vulnerability Intelligence / CVE-2026-3584

CVE-2026-3584 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 23, 2026

Kali Forms WordPress plugin - Remote Code Execution

Published: March 20, 2026Updated: March 23, 2026Remote Exploitable

Overview

Kali Forms WordPress plugin <= 2.4.9 contains a remote code execution caused by unsafe user input handling in 'form_process' and 'prepare_post_data' functions, letting unauthenticated attackers execute code on the server, exploit requires no authentication.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 1708.7%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can execute arbitrary code on the server, potentially leading to full system compromise.

Mitigation

Update to the latest version beyond 2.4.9.

References

Social Media Activity(1 post)

Wordfence

@wordfence

Apr 13, 2026

Attackers Actively Exploiting Critical Vulnerability in Kali Forms Plugin A critical Remote Code Execution vulnerability (CVE-2026-3584, CVSS 9.8) in Kali Forms with 10,000+ active installations is under active attack. Over 312,200 exploit attempts blocked. Update to version 2.4.10. https://www.wordfence.com/blog/2026/04/attackers-actively-exploiting-critical-vulnerability-in-kali-forms-plugin #WordPress #WebSecurity #Wordfence

View original post

GitHub Repositories(1 repo)

https://github.com/Yucaerin/CVE-2026-3584

Related Resources

Details

CVE ID: CVE-2026-3584
Severity: Critical
CVSS Score: 9.8
Type: command_injection
Status: unconfirmed
EPSS: 1708.7%
Nuclei: Available
Social Posts: 1

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

1708.7%Probability of exploitation in the next 30 days

Nuclei Template

View Nuclei Template