WordPress Plugin Vulnerabilities

Kali Forms < 2.4.13 - Contributor+ Stored XSS via Form Field Caption

Description

The plugin does not sanitise a form field's caption before outputting it as a column header on the administrator form-entries screen, allowing users with Contributor-level access or above to store JavaScript that executes in an administrator's session. A missing capability check in the plugin's post-duplication action additionally lets the Contributor publish the malicious form so an administrator renders it.

Proof of Concept

Affects Plugins

Plugin icon
kali-forms
Fixed in 2.4.13

References

CVE
CVE-2026-11581

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
she11f
Submitter
she11f
Verified
Yes
WPVDB ID
a9282260-a0f2-4fe2-9acf-3191f4043910

Timeline

Publicly Published
2026-06-09 (about 21 days ago)
Added
2026-06-09 (about 20 days ago)
Last Updated
2026-06-09 (about 20 days ago)

Other

Published
Title
Published
2026-02-26
Title
RH Frontend Publishing Pro < 4.3.4 - Reflected Cross-Site Scripting
Published
2021-12-16
Title
Smash Balloon Social Post Feed < 4.1.1 - Authenticated Reflected Cross-Site Scripting (XSS)
Published
2021-06-28
Title
Awesome Weather Widget <= 3.0.2 - Reflected Cross-site Scripting (XSS)
Published
2024-11-16
Title
Simple Side Tab < 2.2.0 - Admin+ Stored XSS
Published
2025-01-16
Title
Easy Automatic Newsletter Lite <= 3.2.0 - Reflected Cross-Site Scripting