Hackers Exploit Kali Forms Vulnerability to Take Over WordPress Sites

The Kali Forms vulnerability underscores how a single insecure function can jeopardize an entire plugin ecosystem. Discovered through a bug‑bounty submission, the flaw resides in the prepare_post_data() routine, which fails to whitelist user input before passing it to call_user_func(). By injecting malicious PHP function names, attackers can execute code on the server without authentication, turning a simple form submission into a remote code execution vector. This type of oversight is especially dangerous in WordPress, where plugins often handle untrusted data at scale.

Technical analysts note that the exploit chain hinges on the placeholder mechanism used to store form data. When attackers supply crafted values for placeholders like {entryCounter}, the plugin directly invokes the supplied string as a PHP function. In practice, this enables actions such as wp_set_auth_cookie(1), effectively granting admin privileges if the target site’s default administrator account exists. The rapid adoption of automated requests to admin‑ajax.php after the public patch release demonstrates how threat actors capitalize on the narrow window between disclosure and remediation.

For site operators, the incident is a stark reminder of the need for continuous vulnerability management. Wordfence’s swift firewall rules for premium users mitigated a portion of the traffic, but free users only received protection days later, allowing a surge of attacks between April 4‑10. Organizations should prioritize immediate updates to plugin versions, enforce least‑privilege principles, and deploy web‑application firewalls that can block suspicious admin‑ajax calls. As WordPress continues to dominate the CMS market, the industry must demand higher security standards from plugin developers to prevent similar RCE scenarios.