CVE-2026-3584
Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_processThe Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.
We have discovered 4,908 live websites that are affected by CVE-2026-3584.
Affected Software
| Product |  Kali Forms |
| Category | Wordpress Plugins |
| Vulnerable Domains | 4,908 live websites (94% of Kali Forms install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 83 versions ( 98% of all versions) |
Common Weakness Enumeration
CWE-94 Improper Control of Generation of Code ('Code Injection')Details
- Published - Mar 20, 2026
- Updated - Apr 8, 2026
Credits
- ISMAILSHADOW (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-3584 United States | 1,327 websites |
 Germany | 746 websites |
 France | 369 websites |
 Netherlands | 279 websites |
 GB | 242 websites |
 Italy | 171 websites |
 Poland | 145 websites |
 Denmark | 109 websites |
 Canada | 105 websites |
 Spain | 101 websites |
Website Distribution by TLD
Number of websites using CVE-2026-3584| .com | 1,860 websites |
| .de | 475 websites |
| .org | 268 websites |
| .nl | 264 websites |
| .fr | 154 websites |
| .co.uk | 154 websites |
| .net | 125 websites |
| .it | 110 websites |
| .pl | 103 websites |
| .ch | 84 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-3584
Top websites that are affected by CVE-2026-3584. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.io | United States | ***,*** | |
| ***************.com | Italy | ***,*** | |
| ***********.me |  Bulgaria | ***,*** | |
| ************.com | United States | ***,*** | |
| ***************.cz |  Czech Republic | ***,*** | |
| *****.eu | United States | ***,*** | |
| ****.****.***.ph |  Philippines | ***,*** | |
| ****************.de | Germany | ***,*** | |
| **************.com | United States | ***,*** | |
| *********.it | Italy | ***,*** |
FAQ
CVE-2026-3584 is Improper Control of Generation of Code ('Code Injection') in Kali Forms
A total of 4,908 websites have been identified as vulnerable to CVE-2026-3584, based on global website indexing conducted by WebTechSurvey.
The Kali Forms is affected by the CVE-2026-3584 vulnerability.
Kali Forms versions up to and including 2.4.9 are vulnerable to CVE-2026-3584.