CVE-2026-11580
Kali Forms < 2.4.17 - Contributor+ Arbitrary Post Metadata Disclosure via IDOR
CVSS Score
5.5
EPSS Score
0.0%
EPSS Percentile
0th
The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not perform a per-object capability check in its post-duplication AJAX action, allowing users with Contributor-level access or above to duplicate any post (regardless of owner, post type, or status) into a published post they own and read its private post metadata, including secrets stored by other Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17.
| Vendor | unknown |
| Product | kali forms — contact form & drag-and-drop builder |
| Published | Jul 15, 2026 |
| Last Updated | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for unknown kali forms — contact form & drag-and-drop builder
Be the first to know when new medium vulnerabilities affecting unknown kali forms — contact form & drag-and-drop builder are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Unknown / Kali Forms — Contact Form & Drag-and-Drop Builder
0 < 2.4.17
References
Credits
Muni Nitish Kumar Yaddala WPScan