WordPress Plugin Vulnerabilities

Contact Form builder with drag & drop for WordPress – Kali Forms < 2.3.42 - Missing Authorization to Arbitrary Plugin Deactivation

Description

The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the await_plugin_deactivation function in all versions up to, and including, 2.3.41. This makes it possible for authenticated attackers, with subscriber access or higher, to deactivate any active plugins.

Affects Plugins

Plugin icon
kali-forms
Fixed in 2.3.42

References

CVE
CVE-2024-1217
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7be75b0a-737d-4f0d-b024-e207af4573cd

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.6 (high)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
25f282bb-c557-41fe-8843-2dbbf5c67a57

Timeline

Publicly Published
2024-02-19 (about 2 years ago)
Added
2024-02-19 (about 2 years ago)
Last Updated
2024-02-19 (about 2 years ago)

Other

Published
Title
Published
2025-12-15
Title
FileBird – WordPress Media Library Folders & File Manager < 6.5.2 - Missing Authorization to Authenticated (Author+) Global Folders Tampering
Published
2025-01-06
Title
Aurum - WordPress & WooCommerce Shopping Theme < 4.0.3 - Missing Authorization to Authenticated (Subscriber+) Demo Content Import
Published
2026-04-23
Title
AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress < 5.6.8 - Missing Authorization
Published
2025-11-20
Title
Better Chat Support for Messenger < 1.2.19 - Missing Authorization
Published
2026-01-19
Title
Points and Rewards for WooCommerce < 2.9.6 - Missing Authorization