
Cloud Vulnerability DB
Eine von der Community geführte Datenbank für Schwachstellen
CVE-2026-11579 is an unauthenticated arbitrary media upload vulnerability in the Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin. The flaw affects all versions before 2.4.17 and was discovered and reported by researcher Alexander Jurkschat. It was publicly disclosed on 2026-06-24 and published to the NVD on 2026-07-15. The vulnerability is estimated as HIGH severity by Feedly; no official CVSS score has been assigned at time of publication (WPScan, GitHub Advisory).
The root cause is insufficient validation in the plugin's file upload handler (kaliforms_form_upload_file AJAX action), which does not verify that an upload request corresponds to an existing form configured with a file-upload field (CWE-434: Unrestricted Upload of File with Dangerous Type). An attacker can first leak a valid WordPress nonce via the unauthenticated kaliforms_get_js_var AJAX endpoint, then use that nonce to submit a file upload directly to wp-admin/admin-ajax.php without any form existing. Uploads are constrained to WordPress's default-allowed MIME types (images, PDFs, Office documents, ZIP, audio/video), which prevents code execution but still allows unauthorized content to be placed in the Media Library. A public proof-of-concept demonstrating the two-step attack was confirmed on Kali Forms 2.4.11 (WPScan).
Successful exploitation allows any unauthenticated user to upload arbitrary files of WordPress-permitted MIME types to the site's Media Library, making them publicly accessible via a predictable URL (/wp-content/uploads/YYYY/MM/filename). While direct code execution is not possible due to MIME type restrictions, attackers could abuse this to host malicious content (e.g., phishing pages embedded in PDFs or Office documents), consume server storage, or use the site as a distribution point for malware. Uploaded files are scheduled for automatic deletion approximately 15 minutes after upload via WP-cron, limiting persistent storage abuse (WPScan).
/wp-content/plugins/kali-forms/ for plugin presence.wp-admin/admin-ajax.php endpoint to retrieve a valid nonce:curl -s -X POST "https://TARGET/wp-admin/admin-ajax.php" \
--data "action=kaliforms_get_js_var&data[formId]=1&data[key]=ajax_nonce"The response returns a JSON object containing the nonce value (e.g., {"success":true,"data":"<NONCE>"}).
3. Upload a file: Use the leaked nonce to submit a file upload to the same endpoint without any valid form existing:
curl -s -X POST "https://TARGET/wp-admin/admin-ajax.php" \
-F "action=kaliforms_form_upload_file" \
-F "nonce=<NONCE>" \
-F "file=@payload.png"https://TARGET/wp-content/uploads/YYYY/MM/payload.png (WPScan).wp-admin/admin-ajax.php with action=kaliforms_get_js_var followed shortly by action=kaliforms_form_upload_file from the same source IP; repeated nonce-fetching requests from automated tools.admin-ajax.php with the above action parameters from unauthenticated sessions; HTTP 200 responses to multipart form-data uploads without a corresponding authenticated session./wp-content/uploads/YYYY/MM/ that do not correspond to any known content management activity; files with random or unusual names matching the uniqid() pattern.Update the Kali Forms — Contact Form & Drag-and-Drop Builder plugin to version 2.4.17 or later, which introduces proper validation to ensure file uploads are only accepted against existing forms configured with a file-upload field (WPScan, GitHub Advisory). As a temporary workaround where immediate patching is not possible, consider blocking unauthenticated POST requests to wp-admin/admin-ajax.php with the action=kaliforms_form_upload_file parameter at the WAF or server level. Monitoring the Media Library for unexpected uploads can also help detect exploitation attempts.
Quelle: Dieser Bericht wurde mithilfe von KI erstellt
Kostenlose Schwachstellenbewertung
Bewerten Sie Ihre Cloud-Sicherheitspraktiken in 9 Sicherheitsbereichen, um Ihr Risikoniveau zu bewerten und Lücken in Ihren Abwehrmaßnahmen zu identifizieren.
Eine personalisierte Demo anfordern
"Die beste Benutzererfahrung, die ich je gesehen habe, bietet vollständige Transparenz für Cloud-Workloads."
"„Wiz bietet eine zentrale Oberfläche, um zu sehen, was in unseren Cloud-Umgebungen vor sich geht.“ "
"„Wir wissen, dass, wenn Wiz etwas als kritisch identifiziert, es auch wirklich kritisch ist.“"