CVE-2026-11580
WordPress Análise e mitigação de vulnerabilidades

Visão geral

CVE-2026-11580 is an Insecure Direct Object Reference (IDOR) / Authorization Bypass vulnerability in the Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin. It affects all versions before 2.4.17 and allows authenticated users with Contributor-level access or above to duplicate any post on the site — regardless of owner, post type, or visibility status — and read its private post metadata, including secrets stored by other plugins. The vulnerability was publicly disclosed on June 24, 2026, and assigned a CVSS score of 5.5 (Medium) (WPScan). The plugin is developed by WPChill and the CVE was assigned by WPScan (GitHub Advisory).

Detalhes técnicos

The root cause is a missing per-object capability check (CWE-639: Authorization Bypass Through User-Controlled Key) in the plugin's kaliforms_duplicate_post AJAX action. When a user triggers this action, the plugin does not verify whether the requesting user has the right to access or edit the target post — only that they are authenticated. An attacker supplies an arbitrary post ID (args[id]) and their own user ID (args[userId]) in the AJAX request, causing the plugin to create a published duplicate of the target post assigned to the attacker, copying all custom fields (post metadata) verbatim. A session-bound nonce required for the request can be trivially obtained via the plugin's own kaliforms_get_js_var AJAX action, which is accessible to any authenticated user (WPScan).

Impacto

A Contributor-level (or higher) authenticated attacker can read private post metadata from any post on the WordPress site, including administrator-owned private posts and secrets stored by other plugins (e.g., API keys, private notes, configuration values). The duplicated post is created as a published post owned by the attacker, making the exfiltrated metadata directly readable. While this vulnerability does not grant direct code execution or administrative control, the exposure of API keys and secrets could enable further attacks such as lateral movement to third-party services or privilege escalation (WPScan, GitHub Advisory).

Etapas de exploração

  1. Obtain Contributor-level access: Register or use an existing account with at least Contributor privileges on the target WordPress site.
  2. Retrieve a valid nonce: Send a POST request to the admin-ajax.php endpoint using the kaliforms_get_js_var action to obtain a session-bound nonce:
    curl -s -b contrib.txt -X POST "https://TARGET/wp-admin/admin-ajax.php" \
      --data "action=kaliforms_get_js_var&data[formId]=1&data[key]=ajax_nonce"
  3. Identify target post ID: Enumerate post IDs of interest (e.g., private posts, administrator posts) through WordPress's standard enumeration techniques or by observing post IDs in accessible areas of the site.
  4. Trigger the duplicate AJAX action: Send a POST request to admin-ajax.php with the kaliforms_duplicate_post action, specifying the target post ID and the attacker's own user ID:
    curl -s -b contrib.txt "https://TARGET/wp-admin/admin-ajax.php" \
      --data "action=kaliforms_duplicate_post" \
      --data "args[nonce]=<NONCE>" \
      --data "args[id]=<TARGET_POST_ID>" \
      --data "args[userId]=<ATTACKER_USER_ID>"
  5. Access the duplicated post: The response returns the new post ID. Navigate to or query the new published post (owned by the attacker) to read all copied custom fields, including sensitive metadata such as API keys and private notes (WPScan).

Indicadores de compromisso

  • Network: Repeated POST requests to /wp-admin/admin-ajax.php with action=kaliforms_duplicate_post from a Contributor-level user account, especially targeting post IDs not owned by that user; POST requests to admin-ajax.php with action=kaliforms_get_js_var immediately preceding duplication requests.
  • Logs: WordPress access logs showing admin-ajax.php POST requests with action=kaliforms_duplicate_post parameters from unexpected user accounts or at unusual times; multiple duplication requests targeting different post IDs in rapid succession.
  • WordPress Database: Unexpected published posts with titles containing "(duplicate)" or similar suffixes, authored by Contributor-level users, containing custom fields (post meta) that should only belong to private or administrator-owned posts; sudden increase in post count for Contributor accounts.
  • File System / Admin Panel: New published posts appearing in the WordPress admin dashboard owned by Contributor accounts that contain sensitive custom field data (e.g., API keys, private notes) copied from private posts (WPScan).

Mitigação e soluções alternativas

Update the Kali Forms — Contact Form & Drag-and-Drop Builder plugin to version 2.4.17 or later, which introduces proper per-object capability checks in the post-duplication AJAX action. As an interim workaround, restrict Contributor-level access to only fully trusted users, or temporarily disable the plugin until patching is feasible. Site administrators should audit existing posts for unauthorized duplicates and review WordPress access logs for suspicious admin-ajax.php activity. Any exposed secrets (API keys, private notes) discovered in duplicated posts should be rotated immediately (WPScan, GitHub Advisory).

Recursos adicionais


OrigemEste relatório foi gerado usando IA

Relacionado WordPress Vulnerabilidades:

CVE ID

Gravidade

Pontuação

Tecnologias

Nome do componente

Exploração do CISA KEV

Tem correção

Data de publicação

CVE-2026-12512HIGH8.6
  • quotes-llama
NãoSimJul 15, 2026
CVE-2026-12281HIGH8.1
  • shibboleth
NãoSimJul 15, 2026
CVE-2026-12997HIGH7.5
  • gravityforms
NãoSimJul 15, 2026
CVE-2026-11580MEDIUM5.5
  • kali-forms
NãoSimJul 15, 2026
CVE-2026-11579MEDIUM5.3
  • kali-forms
NãoSimJul 15, 2026

Avaliação de vulnerabilidade gratuita

Compare sua postura de segurança na nuvem

Avalie suas práticas de segurança na nuvem em 9 domínios de segurança para comparar seu nível de risco e identificar lacunas em suas defesas.

Solicitar avaliação

Marque uma demonstração personalizada

Pronto para ver a Wiz em ação?

"A melhor experiência do usuário que eu já vi, fornece visibilidade total para cargas de trabalho na nuvem."
David EstlickCISO
"A Wiz fornece um único painel de vidro para ver o que está acontecendo em nossos ambientes de nuvem."
Adão FletcherDiretor de Segurança
"Sabemos que se a Wiz identifica algo como crítico, na verdade é."
Greg PoniatowskiChefe de Gerenciamento de Ameaças e Vulnerabilidades