WordPress Plugin Vulnerabilities

Kali Forms < 2.4.17 - Contributor+ Arbitrary Post Metadata Disclosure via IDOR

Description

The plugin does not perform a per-object capability check in its post-duplication AJAX action, allowing users with Contributor-level access or above to duplicate any post (regardless of owner, post type, or status) into a published post they own and read its private post metadata, including secrets stored by other plugins.

Proof of Concept

Affects Plugins

Fixed in 2.4.17

References

Classification

Type
IDOR
CWE

Miscellaneous

Original Researcher
Muni Nitish Kumar Yaddala
Submitter
Muni Nitish Kumar Yaddala
Verified
Yes

Timeline

Publicly Published
2026-06-24 (about 22 days ago)
Added
2026-06-24 (about 21 days ago)
Last Updated
2026-06-24 (about 21 days ago)

Other