CVE-2020-36717: 
WordPress vulnerability analysis and mitigation

The Kali Forms plugin for WordPress (CVE-2020-36717) is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 2.1.1. The vulnerability exists due to incorrect nonce handling throughout the plugin's functions, where security nonces can be bypassed because they are only checked if they are set (NinTechNet Blog).

The vulnerability stems from a security design flaw in the plugin's nonce implementation. Throughout the plugin's code, security nonces are only verified when they are present in the request, allowing attackers to bypass the security check by simply omitting the nonce parameter. This affects multiple functions across the plugin's codebase. The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows unauthenticated attackers to access the plugin's administrative functions through forged requests. This is possible if they can trick a site administrator into performing specific actions, such as clicking on a malicious link. The high CVSS score indicates that successful exploitation could lead to significant compromise of the system's confidentiality, integrity, and availability (NVD).

The vulnerability has been fixed in version 2.1.2 of the Kali Forms plugin. Users are strongly advised to upgrade immediately if they are running version 2.1.1 or below. Additionally, websites using NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium) are protected against this vulnerability (NinTechNet Blog).