
PEACH
Uma estrutura de isolamento de inquilino
CVE-2026-11580 is an Insecure Direct Object Reference (IDOR) / Authorization Bypass vulnerability in the Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin. It affects all versions before 2.4.17 and allows authenticated users with Contributor-level access or above to duplicate any post on the site — regardless of owner, post type, or visibility status — and read its private post metadata, including secrets stored by other plugins. The vulnerability was publicly disclosed on June 24, 2026, and assigned a CVSS score of 5.5 (Medium) (WPScan). The plugin is developed by WPChill and the CVE was assigned by WPScan (GitHub Advisory).
The root cause is a missing per-object capability check (CWE-639: Authorization Bypass Through User-Controlled Key) in the plugin's kaliforms_duplicate_post AJAX action. When a user triggers this action, the plugin does not verify whether the requesting user has the right to access or edit the target post — only that they are authenticated. An attacker supplies an arbitrary post ID (args[id]) and their own user ID (args[userId]) in the AJAX request, causing the plugin to create a published duplicate of the target post assigned to the attacker, copying all custom fields (post metadata) verbatim. A session-bound nonce required for the request can be trivially obtained via the plugin's own kaliforms_get_js_var AJAX action, which is accessible to any authenticated user (WPScan).
A Contributor-level (or higher) authenticated attacker can read private post metadata from any post on the WordPress site, including administrator-owned private posts and secrets stored by other plugins (e.g., API keys, private notes, configuration values). The duplicated post is created as a published post owned by the attacker, making the exfiltrated metadata directly readable. While this vulnerability does not grant direct code execution or administrative control, the exposure of API keys and secrets could enable further attacks such as lateral movement to third-party services or privilege escalation (WPScan, GitHub Advisory).
admin-ajax.php endpoint using the kaliforms_get_js_var action to obtain a session-bound nonce:curl -s -b contrib.txt -X POST "https://TARGET/wp-admin/admin-ajax.php" \
--data "action=kaliforms_get_js_var&data[formId]=1&data[key]=ajax_nonce"admin-ajax.php with the kaliforms_duplicate_post action, specifying the target post ID and the attacker's own user ID:curl -s -b contrib.txt "https://TARGET/wp-admin/admin-ajax.php" \
--data "action=kaliforms_duplicate_post" \
--data "args[nonce]=<NONCE>" \
--data "args[id]=<TARGET_POST_ID>" \
--data "args[userId]=<ATTACKER_USER_ID>"/wp-admin/admin-ajax.php with action=kaliforms_duplicate_post from a Contributor-level user account, especially targeting post IDs not owned by that user; POST requests to admin-ajax.php with action=kaliforms_get_js_var immediately preceding duplication requests.admin-ajax.php POST requests with action=kaliforms_duplicate_post parameters from unexpected user accounts or at unusual times; multiple duplication requests targeting different post IDs in rapid succession.Update the Kali Forms — Contact Form & Drag-and-Drop Builder plugin to version 2.4.17 or later, which introduces proper per-object capability checks in the post-duplication AJAX action. As an interim workaround, restrict Contributor-level access to only fully trusted users, or temporarily disable the plugin until patching is feasible. Site administrators should audit existing posts for unauthorized duplicates and review WordPress access logs for suspicious admin-ajax.php activity. Any exposed secrets (API keys, private notes) discovered in duplicated posts should be rotated immediately (WPScan, GitHub Advisory).
Origem: Este relatório foi gerado usando IA
Avaliação de vulnerabilidade gratuita
Avalie suas práticas de segurança na nuvem em 9 domínios de segurança para comparar seu nível de risco e identificar lacunas em suas defesas.
Marque uma demonstração personalizada
"A melhor experiência do usuário que eu já vi, fornece visibilidade total para cargas de trabalho na nuvem."
"A Wiz fornece um único painel de vidro para ver o que está acontecendo em nossos ambientes de nuvem."
"Sabemos que se a Wiz identifica algo como crítico, na verdade é."