CVE-2026-11580
WordPress Análisis y mitigación de vulnerabilidades

Vista general

CVE-2026-11580 is an Insecure Direct Object Reference (IDOR) / Authorization Bypass vulnerability in the Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin. It affects all versions before 2.4.17 and allows authenticated users with Contributor-level access or above to duplicate any post on the site — regardless of owner, post type, or visibility status — and read its private post metadata, including secrets stored by other plugins. The vulnerability was publicly disclosed on June 24, 2026, and assigned a CVSS score of 5.5 (Medium) (WPScan). The plugin is developed by WPChill and the CVE was assigned by WPScan (GitHub Advisory).

Técnicas

The root cause is a missing per-object capability check (CWE-639: Authorization Bypass Through User-Controlled Key) in the plugin's kaliforms_duplicate_post AJAX action. When a user triggers this action, the plugin does not verify whether the requesting user has the right to access or edit the target post — only that they are authenticated. An attacker supplies an arbitrary post ID (args[id]) and their own user ID (args[userId]) in the AJAX request, causing the plugin to create a published duplicate of the target post assigned to the attacker, copying all custom fields (post metadata) verbatim. A session-bound nonce required for the request can be trivially obtained via the plugin's own kaliforms_get_js_var AJAX action, which is accessible to any authenticated user (WPScan).

Impacto

A Contributor-level (or higher) authenticated attacker can read private post metadata from any post on the WordPress site, including administrator-owned private posts and secrets stored by other plugins (e.g., API keys, private notes, configuration values). The duplicated post is created as a published post owned by the attacker, making the exfiltrated metadata directly readable. While this vulnerability does not grant direct code execution or administrative control, the exposure of API keys and secrets could enable further attacks such as lateral movement to third-party services or privilege escalation (WPScan, GitHub Advisory).

Pasos de explotación

  1. Obtain Contributor-level access: Register or use an existing account with at least Contributor privileges on the target WordPress site.
  2. Retrieve a valid nonce: Send a POST request to the admin-ajax.php endpoint using the kaliforms_get_js_var action to obtain a session-bound nonce:
    curl -s -b contrib.txt -X POST "https://TARGET/wp-admin/admin-ajax.php" \
      --data "action=kaliforms_get_js_var&data[formId]=1&data[key]=ajax_nonce"
  3. Identify target post ID: Enumerate post IDs of interest (e.g., private posts, administrator posts) through WordPress's standard enumeration techniques or by observing post IDs in accessible areas of the site.
  4. Trigger the duplicate AJAX action: Send a POST request to admin-ajax.php with the kaliforms_duplicate_post action, specifying the target post ID and the attacker's own user ID:
    curl -s -b contrib.txt "https://TARGET/wp-admin/admin-ajax.php" \
      --data "action=kaliforms_duplicate_post" \
      --data "args[nonce]=<NONCE>" \
      --data "args[id]=<TARGET_POST_ID>" \
      --data "args[userId]=<ATTACKER_USER_ID>"
  5. Access the duplicated post: The response returns the new post ID. Navigate to or query the new published post (owned by the attacker) to read all copied custom fields, including sensitive metadata such as API keys and private notes (WPScan).

Indicadores de compromiso

  • Network: Repeated POST requests to /wp-admin/admin-ajax.php with action=kaliforms_duplicate_post from a Contributor-level user account, especially targeting post IDs not owned by that user; POST requests to admin-ajax.php with action=kaliforms_get_js_var immediately preceding duplication requests.
  • Logs: WordPress access logs showing admin-ajax.php POST requests with action=kaliforms_duplicate_post parameters from unexpected user accounts or at unusual times; multiple duplication requests targeting different post IDs in rapid succession.
  • WordPress Database: Unexpected published posts with titles containing "(duplicate)" or similar suffixes, authored by Contributor-level users, containing custom fields (post meta) that should only belong to private or administrator-owned posts; sudden increase in post count for Contributor accounts.
  • File System / Admin Panel: New published posts appearing in the WordPress admin dashboard owned by Contributor accounts that contain sensitive custom field data (e.g., API keys, private notes) copied from private posts (WPScan).

Mitigación y soluciones alternativas

Update the Kali Forms — Contact Form & Drag-and-Drop Builder plugin to version 2.4.17 or later, which introduces proper per-object capability checks in the post-duplication AJAX action. As an interim workaround, restrict Contributor-level access to only fully trusted users, or temporarily disable the plugin until patching is feasible. Site administrators should audit existing posts for unauthorized duplicates and review WordPress access logs for suspicious admin-ajax.php activity. Any exposed secrets (API keys, private notes) discovered in duplicated posts should be rotated immediately (WPScan, GitHub Advisory).

Recursos adicionales


FuenteEste informe se generó utilizando IA

Relacionado WordPress Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2026-12512HIGH8.6
  • quotes-llama
NoJul 15, 2026
CVE-2026-12281HIGH8.1
  • shibboleth
NoJul 15, 2026
CVE-2026-12997HIGH7.5
  • gravityforms
NoJul 15, 2026
CVE-2026-11580MEDIUM5.5
  • kali-forms
NoJul 15, 2026
CVE-2026-11579MEDIUM5.3
  • kali-forms
NoJul 15, 2026

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades