Hackers Exploit Kali Forms Vulnerability to Take Over WordPress Sites
好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内,而且不需要特定的开头。首先,我得仔细阅读文章内容,理解主要信息。 文章讲的是Kali Forms插件的一个漏洞,影响了WordPress网站。这个漏洞允许未经认证的攻击者执行远程代码。漏洞是在3月2日提交的,3月20日发布了补丁,但当天就开始被利用了。攻击者通过admin-ajax.php发送请求,利用form_process和prepare_post_data()中的问题。 接下来,我需要提取关键点:漏洞名称、影响范围、攻击类型、时间线、攻击方式和影响程度。然后把这些信息浓缩到100字以内。 要注意用词简洁,避免重复。比如,“允许未经认证的攻击者执行远程代码”可以简化为“导致远程代码执行”。同时,提到补丁发布后立即被利用,说明威胁紧迫。 最后检查字数是否符合要求,并确保信息准确无误。 </think> Kali Forms插件漏洞导致WordPress网站面临远程代码执行威胁,攻击者可通过伪造表单数据触发漏洞。该漏洞于2026年3月披露后迅速被利用,攻击者通过admin-ajax.php接口发起大规模攻击。 2026-4-14 07:44:43 Author: thecyberexpress.com(查看原文) 阅读量:15 收藏

A recently disclosed Kali Forms vulnerability affecting a widely used WordPress plugin has escalated into an active security threat, enabling unauthenticated attackers to achieve Remote Code Execution on affected websites. The flaw impacts Kali Forms, a drag-and-drop form builder with more than 10,000 active installations, and has already been exploited in the wild shortly after public disclosure. 

Security researchers reported that the vulnerability was first submitted on March 2, 2026, through a bug bounty program, identifying a critical Remote Code Execution issue in the Kali Forms vulnerability chain. The vendor released a patched version on March 20, 2026, and the issue was simultaneously added to the Wordfence Intelligence database. On the same day, attackers began actively exploiting it on scale. 

Timeline of the Kali Forms Vulnerability in the WordPress Plugin Ecosystem 

The Kali Forms vulnerability followed a rapid disclosure-to-exploitation cycle: 

  • March 2, 2026: Initial submission of the Remote Code Execution flaw via bug bounty reporting. 
  • March 5, 2026: Wordfence Premium, Care, and Response users received firewall protection. 
  • March 20, 2026: Patched version released; vulnerability publicly disclosed; attackers began exploiting the same day. 
  • April 4, 2026: Free Wordfence users received delayed firewall protection. 
  • April 4–10, 2026: Peak exploitation activity observed against the Kali Forms vulnerability. 

The patched release addressed the issue in version 2.4.10 of the WordPress plugin, while all versions up to and including 2.4.9 remained vulnerable. 

Technical Root Cause Behind the Kali Forms Vulnerability

The core of this WordPress plugin flaw lies in how user-supplied form data is processed and stored internally. The vulnerability resides in the form_process flow and the prepare_post_data() function, which incorrectly maps attacker-controlled input into internal placeholder storage without proper validation or allow-list restrictions. 

These placeholders are later used in the _save_data() method, where unsafe execution occurs through call_user_func(). 

report-ad-banner

A simplified excerpt of the vulnerable logic includes: 

if (isset($this->placeholdered_data[‘{entryCounter}’])) {
   $this->placeholdered_data[‘{entryCounter}’] =
       call_user_func($this->placeholdered_data[‘{entryCounter}’], $this->post->ID);
} 

Because the Kali Forms vulnerability allows attackers to fully control values like {entryCounter} and {thisPermalink}, an unauthenticated user can inject arbitrary PHP function names. These are then executed directly, resulting in Remote Code Execution (RCE) attacks. 

Researchers noted that the lack of input restrictions in prepare_post_data() enables overwriting internal placeholders. As a result, attacker-controlled values flow directly into call_user_func(), making exploitation trivial once the request is submitted. 

One observed abuse pattern demonstrates authentication bypass attempts using built-in WordPress functions. For example, attackers can assign: 

  • {entryCounter} = wp_set_auth_cookie  

  • formId = 1  

This leads to execution of wp_set_auth_cookie(1), which may log attackers in as the default administrator account if it exists, effectively turning the Kali Forms vulnerability into a full account takeover vector. 

Active Exploitation of the Kali Vulnerability in Real-world Attacks 

Telemetry from security monitoring shows that exploitation began immediately after disclosure. Attackers have been systematically targeting the WordPress plugin using automated requests to admin-ajax.php. 

A representative exploit request includes: 

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=kaliforms_form_process&
data[formId]=1&
data[nonce]=66ddddb2b7&
data[entryCounter]=wp_set_auth_cookie 

This confirms how the Remote Code Execution flaw is triggered through manipulated form submission data. 

Security systems recorded significant attack volume: 

  • Over 312,200 exploit attempts were blocked targeting the Kali Forms vulnerability. 
  • Heavy targeting was observed immediately after March 20, 2026 disclosure. 
  • Increased spike in activity between April 4 and April 10, 2026. 

Top Attacking IP Addresses Observed 

Threat intelligence identified several IPs responsible for large-scale exploitation attempts: 

  • 209.146.60.26 – over 152,000 blocked requests  
  • 49.156.40.126 – over 50,000  
  • 124.248.183.139 – over 26,000  
  • 202.56.2.126 – over 14,000  
  • 130.12.182.154 – over 11,000  
  • 104.28.160.197 – over 9,000  
  • 1.53.114.181 – over 5,700  
  • 157.15.40.74 – over 3,000  
  • 114.10.99.126 – over 2,500  
  • 83.147.12.83 – over 1,300  

These sources were repeatedly associated with exploitation attempts targeting the Kali Forms vulnerability in the affected WordPress plugin. 


文章来源: https://thecyberexpress.com/kali-forms-vulnerability-wordpress-plugin/
如有侵权请联系:admin#unsafe.sh