CVE-2026-11580
WordPress Analisi e mitigazione delle vulnerabilità

Panoramica

CVE-2026-11580 is an Insecure Direct Object Reference (IDOR) / Authorization Bypass vulnerability in the Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin. It affects all versions before 2.4.17 and allows authenticated users with Contributor-level access or above to duplicate any post on the site — regardless of owner, post type, or visibility status — and read its private post metadata, including secrets stored by other plugins. The vulnerability was publicly disclosed on June 24, 2026, and assigned a CVSS score of 5.5 (Medium) (WPScan). The plugin is developed by WPChill and the CVE was assigned by WPScan (GitHub Advisory).

Dettagli tecnici

The root cause is a missing per-object capability check (CWE-639: Authorization Bypass Through User-Controlled Key) in the plugin's kaliforms_duplicate_post AJAX action. When a user triggers this action, the plugin does not verify whether the requesting user has the right to access or edit the target post — only that they are authenticated. An attacker supplies an arbitrary post ID (args[id]) and their own user ID (args[userId]) in the AJAX request, causing the plugin to create a published duplicate of the target post assigned to the attacker, copying all custom fields (post metadata) verbatim. A session-bound nonce required for the request can be trivially obtained via the plugin's own kaliforms_get_js_var AJAX action, which is accessible to any authenticated user (WPScan).

Impatto

A Contributor-level (or higher) authenticated attacker can read private post metadata from any post on the WordPress site, including administrator-owned private posts and secrets stored by other plugins (e.g., API keys, private notes, configuration values). The duplicated post is created as a published post owned by the attacker, making the exfiltrated metadata directly readable. While this vulnerability does not grant direct code execution or administrative control, the exposure of API keys and secrets could enable further attacks such as lateral movement to third-party services or privilege escalation (WPScan, GitHub Advisory).

Passaggi di sfruttamento

  1. Obtain Contributor-level access: Register or use an existing account with at least Contributor privileges on the target WordPress site.
  2. Retrieve a valid nonce: Send a POST request to the admin-ajax.php endpoint using the kaliforms_get_js_var action to obtain a session-bound nonce:
    curl -s -b contrib.txt -X POST "https://TARGET/wp-admin/admin-ajax.php" \
      --data "action=kaliforms_get_js_var&data[formId]=1&data[key]=ajax_nonce"
  3. Identify target post ID: Enumerate post IDs of interest (e.g., private posts, administrator posts) through WordPress's standard enumeration techniques or by observing post IDs in accessible areas of the site.
  4. Trigger the duplicate AJAX action: Send a POST request to admin-ajax.php with the kaliforms_duplicate_post action, specifying the target post ID and the attacker's own user ID:
    curl -s -b contrib.txt "https://TARGET/wp-admin/admin-ajax.php" \
      --data "action=kaliforms_duplicate_post" \
      --data "args[nonce]=<NONCE>" \
      --data "args[id]=<TARGET_POST_ID>" \
      --data "args[userId]=<ATTACKER_USER_ID>"
  5. Access the duplicated post: The response returns the new post ID. Navigate to or query the new published post (owned by the attacker) to read all copied custom fields, including sensitive metadata such as API keys and private notes (WPScan).

Indicatori di compromesso

  • Network: Repeated POST requests to /wp-admin/admin-ajax.php with action=kaliforms_duplicate_post from a Contributor-level user account, especially targeting post IDs not owned by that user; POST requests to admin-ajax.php with action=kaliforms_get_js_var immediately preceding duplication requests.
  • Logs: WordPress access logs showing admin-ajax.php POST requests with action=kaliforms_duplicate_post parameters from unexpected user accounts or at unusual times; multiple duplication requests targeting different post IDs in rapid succession.
  • WordPress Database: Unexpected published posts with titles containing "(duplicate)" or similar suffixes, authored by Contributor-level users, containing custom fields (post meta) that should only belong to private or administrator-owned posts; sudden increase in post count for Contributor accounts.
  • File System / Admin Panel: New published posts appearing in the WordPress admin dashboard owned by Contributor accounts that contain sensitive custom field data (e.g., API keys, private notes) copied from private posts (WPScan).

Mitigazione e soluzioni alternative

Update the Kali Forms — Contact Form & Drag-and-Drop Builder plugin to version 2.4.17 or later, which introduces proper per-object capability checks in the post-duplication AJAX action. As an interim workaround, restrict Contributor-level access to only fully trusted users, or temporarily disable the plugin until patching is feasible. Site administrators should audit existing posts for unauthorized duplicates and review WordPress access logs for suspicious admin-ajax.php activity. Any exposed secrets (API keys, private notes) discovered in duplicated posts should be rotated immediately (WPScan, GitHub Advisory).

Risorse aggiuntive


FonteQuesto report è stato generato utilizzando l'intelligenza artificiale

Imparentato WordPress Vulnerabilità:

CVE ID

Severità

Punteggio

Tecnologie

Nome del componente

Exploit CISA KEV

Ha la correzione

Data di pubblicazione

CVE-2026-12512HIGH8.6
  • quotes-llama
NoJul 15, 2026
CVE-2026-12281HIGH8.1
  • shibboleth
NoJul 15, 2026
CVE-2026-12997HIGH7.5
  • gravityforms
NoJul 15, 2026
CVE-2026-11580MEDIUM5.5
  • kali-forms
NoJul 15, 2026
CVE-2026-11579MEDIUM5.3
  • kali-forms
NoJul 15, 2026

Valutazione gratuita delle vulnerabilità

Benchmark della tua posizione di sicurezza del cloud

Valuta le tue pratiche di sicurezza cloud in 9 domini di sicurezza per confrontare il tuo livello di rischio e identificare le lacune nelle tue difese.

Richiedi valutazione

Richiedi una demo personalizzata

Pronti a vedere Wiz in azione?

"La migliore esperienza utente che abbia mai visto offre piena visibilità ai carichi di lavoro cloud."
David EstlickCISO (CISO)
"Wiz fornisce un unico pannello di controllo per vedere cosa sta succedendo nei nostri ambienti cloud."
Adam FletcherResponsabile della sicurezza
"Sappiamo che se Wiz identifica qualcosa come critico, in realtà lo è."
Greg PoniatowskiResponsabile della gestione delle minacce e delle vulnerabilità