WordPress Contact Form Plugin Kali Forms Vulnerable to Authorization Bypass

CVSScvssV3_1: 7.5

The popular WordPress contact form plugin Kali Forms was found to have a vulnerability that could allow attackers to bypass authorization. The vulnerability received the CVE identifier CVE-2024-22305 and has a CVSS score of 7.5 out of 10.

Kali Forms is a drag-and-drop contact form builder plugin for WordPress that allows users to easily create contact forms for their sites. However, versions 2.3.36 and below are affected by an issue where an attacker could potentially bypass authorization controls through user-supplied form field names. This could allow an unauthorized person to access and modify form submissions and settings intended to be restricted.

Attackers could exploit this vulnerability by crafting special field names in a contact form submitted through the affected plugin versions. If a site administrator’s form happened to contain a field with a name matching what the attacker used, it may allow the attacker to modify the admin’s form settings and view submissions without authentication.

WordPress site owners using Kali Forms should update to version 2.3.37 or higher as soon as possible to protect their sites from this security risk. Administrators are also advised to review site and plugin permissions to ensure no unauthorized access or modifications can be made. Keeping all software up-to-date is important for preventing security issues.