CVE-2026-11579
WordPress Schwachstellenanalyse und -minderung

Überblick

CVE-2026-11579 is an unauthenticated arbitrary media upload vulnerability in the Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin. The flaw affects all versions before 2.4.17 and was discovered and reported by researcher Alexander Jurkschat. It was publicly disclosed on 2026-06-24 and published to the NVD on 2026-07-15. The vulnerability is estimated as HIGH severity by Feedly; no official CVSS score has been assigned at time of publication (WPScan, GitHub Advisory).

Technische Details

The root cause is insufficient validation in the plugin's file upload handler (kaliforms_form_upload_file AJAX action), which does not verify that an upload request corresponds to an existing form configured with a file-upload field (CWE-434: Unrestricted Upload of File with Dangerous Type). An attacker can first leak a valid WordPress nonce via the unauthenticated kaliforms_get_js_var AJAX endpoint, then use that nonce to submit a file upload directly to wp-admin/admin-ajax.php without any form existing. Uploads are constrained to WordPress's default-allowed MIME types (images, PDFs, Office documents, ZIP, audio/video), which prevents code execution but still allows unauthorized content to be placed in the Media Library. A public proof-of-concept demonstrating the two-step attack was confirmed on Kali Forms 2.4.11 (WPScan).

Aufprall

Successful exploitation allows any unauthenticated user to upload arbitrary files of WordPress-permitted MIME types to the site's Media Library, making them publicly accessible via a predictable URL (/wp-content/uploads/YYYY/MM/filename). While direct code execution is not possible due to MIME type restrictions, attackers could abuse this to host malicious content (e.g., phishing pages embedded in PDFs or Office documents), consume server storage, or use the site as a distribution point for malware. Uploaded files are scheduled for automatic deletion approximately 15 minutes after upload via WP-cron, limiting persistent storage abuse (WPScan).

Ausnutzungsschritte

  1. Reconnaissance: Identify WordPress sites running the Kali Forms plugin (versions before 2.4.17) using tools like WPScan or by checking /wp-content/plugins/kali-forms/ for plugin presence.
  2. Leak a valid nonce: Send an unauthenticated POST request to the target's wp-admin/admin-ajax.php endpoint to retrieve a valid nonce:
curl -s -X POST "https://TARGET/wp-admin/admin-ajax.php" \
  --data "action=kaliforms_get_js_var&data[formId]=1&data[key]=ajax_nonce"

The response returns a JSON object containing the nonce value (e.g., {"success":true,"data":"<NONCE>"}). 3. Upload a file: Use the leaked nonce to submit a file upload to the same endpoint without any valid form existing:

curl -s -X POST "https://TARGET/wp-admin/admin-ajax.php" \
  -F "action=kaliforms_form_upload_file" \
  -F "nonce=<NONCE>" \
  -F "file=@payload.png"
  1. Retrieve the uploaded file: On success, the server returns a unique ID string. The uploaded file is publicly accessible at https://TARGET/wp-content/uploads/YYYY/MM/payload.png (WPScan).

Indikatoren für Kompromittierung

  • Network: Unauthenticated POST requests to wp-admin/admin-ajax.php with action=kaliforms_get_js_var followed shortly by action=kaliforms_form_upload_file from the same source IP; repeated nonce-fetching requests from automated tools.
  • Logs: Web server access logs showing sequential POST requests to admin-ajax.php with the above action parameters from unauthenticated sessions; HTTP 200 responses to multipart form-data uploads without a corresponding authenticated session.
  • File System: Unexpected files (images, PDFs, ZIP archives, Office documents) appearing in /wp-content/uploads/YYYY/MM/ that do not correspond to any known content management activity; files with random or unusual names matching the uniqid() pattern.
  • WordPress Admin: New media library entries with no associated post or author, uploaded at unusual times or in high volume.

Risikominderung und Problemumgehungen

Update the Kali Forms — Contact Form & Drag-and-Drop Builder plugin to version 2.4.17 or later, which introduces proper validation to ensure file uploads are only accepted against existing forms configured with a file-upload field (WPScan, GitHub Advisory). As a temporary workaround where immediate patching is not possible, consider blocking unauthenticated POST requests to wp-admin/admin-ajax.php with the action=kaliforms_form_upload_file parameter at the WAF or server level. Monitoring the Media Library for unexpected uploads can also help detect exploitation attempts.

Zusätzliche Ressourcen


QuelleDieser Bericht wurde mithilfe von KI erstellt

Verwandt WordPress Schwachstellen:

CVE-Kennung

Strenge

Punktzahl

Technologieen

Name der Komponente

CISA KEV-Exploit

Hat fix

Veröffentlichungsdatum

CVE-2026-12512HIGH8.6
  • quotes-llama
NeinJaJul 15, 2026
CVE-2026-12281HIGH8.1
  • shibboleth
NeinJaJul 15, 2026
CVE-2026-12997HIGH7.5
  • gravityforms
NeinJaJul 15, 2026
CVE-2026-11580MEDIUM5.5
  • kali-forms
NeinJaJul 15, 2026
CVE-2026-11579MEDIUM5.3
  • kali-forms
NeinJaJul 15, 2026

Kostenlose Schwachstellenbewertung

Benchmarking Ihrer Cloud-Sicherheitslage

Bewerten Sie Ihre Cloud-Sicherheitspraktiken in 9 Sicherheitsbereichen, um Ihr Risikoniveau zu bewerten und Lücken in Ihren Abwehrmaßnahmen zu identifizieren.

Bewertung anfordern

Eine personalisierte Demo anfordern

Sind Sie bereit, Wiz in Aktion zu sehen?

"Die beste Benutzererfahrung, die ich je gesehen habe, bietet vollständige Transparenz für Cloud-Workloads."
David EstlickCISO
"„Wiz bietet eine zentrale Oberfläche, um zu sehen, was in unseren Cloud-Umgebungen vor sich geht.“ "
Adam FletcherSicherheitsbeauftragter
"„Wir wissen, dass, wenn Wiz etwas als kritisch identifiziert, es auch wirklich kritisch ist.“"
Greg PoniatowskiLeiter Bedrohungs- und Schwachstellenmanagement