{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/kali-forms---contact-form--drag-and-drop-builder--2.4.18/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-15395"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Kali Forms - Contact Form \u0026 Drag-and-Drop Builder (\u003c= 2.4.18)"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","xss","web-vulnerability","stored-xss"],"_cs_type":"advisory","_cs_vendors":["Kali Forms","WordPress"],"content_html":"\u003cp\u003eThe Kali Forms - Contact Form \u0026amp; Drag-and-Drop Builder plugin for WordPress, a widely used tool for creating customizable contact forms, is susceptible to a critical Stored Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-15395. This flaw affects all plugin versions up to and including 2.4.18. The vulnerability stems from insufficient input sanitization and output escaping, specifically impacting the 'digitalSignature' field. This design oversight enables unauthenticated attackers to embed arbitrary web scripts into form submissions. Crucially, the form-submission nonce, a security token typically required for form validity, is publicly available on any page hosting a Kali Forms shortcode. This accessibility streamlines exploitation for attackers, allowing them to bypass authentication requirements and inject malicious scripts that execute whenever a legitimate user, such as a site administrator, views the compromised pages or submitted form entries. The broad usage of the plugin makes this a significant concern for WordPress site owners.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress website utilizing the Kali Forms plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker browses the website to locate a publicly accessible page that displays a Kali Forms shortcode.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the necessary form-submission nonce, which is publicly available in the page's source code or network traffic, without requiring authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the Kali Forms submission endpoint, embedding the extracted nonce.\u003c/li\u003e\n\u003cli\u003eWithin this crafted POST request, the attacker injects arbitrary web scripts (e.g., \u003ccode\u003e\u0026lt;script\u0026gt;alert('XSS')\u0026lt;/script\u0026gt;\u003c/code\u003e) into the vulnerable 'digitalSignature' field.\u003c/li\u003e\n\u003cli\u003eThe malicious form data, including the embedded script, is submitted and stored by the Kali Forms plugin.\u003c/li\u003e\n\u003cli\u003eA legitimate user, such as a website administrator, later accesses the backend or a frontend page where this stored form submission data is rendered.\u003c/li\u003e\n\u003cli\u003eThe injected web script executes within the victim's browser, potentially leading to session hijacking, defacement of the website, credential theft, or redirection to malicious sites.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-15395 can lead to significant compromise of the affected WordPress website and its users. Attackers can execute arbitrary JavaScript in the context of the victim's browser, which can include session hijacking, allowing them to take over administrator accounts, defacing website content, redirecting users to malicious sites, or stealing sensitive user data like login credentials or personal information. Due to the unauthenticated nature of the vulnerability and the public availability of the nonce, a wide range of WordPress sites using the Kali Forms plugin are at risk if not updated. The CVSS v3.1 Base Score of 7.2 reflects the high severity and potential for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpdate the Kali Forms - Contact Form \u0026amp; Drag-and-Drop Builder plugin to version 2.4.19 or higher immediately to patch CVE-2026-15395.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Possible Kali Forms XSS Exploitation Attempts\u0026quot; to your SIEM to identify attempts at injecting malicious scripts through web requests.\u003c/li\u003e\n\u003cli\u003eReview webserver access logs and internal application logs for patterns indicating XSS injection attempts in form submission data, especially for parameters related to the \u003ccode\u003edigitalSignature\u003c/code\u003e field.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T04:18:39Z","date_published":"2026-07-17T04:18:39Z","id":"https://feed.craftedsignal.io/briefs/2026-07-kali-forms-xss/","summary":"The Kali Forms - Contact Form \u0026 Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'digitalSignature' field in versions up to and including 2.4.18, allowing unauthenticated attackers to inject arbitrary web scripts that execute when a user accesses an affected page.","title":"Kali Forms WordPress Plugin Vulnerable to Stored Cross-Site Scripting via digitalSignature Field","url":"https://feed.craftedsignal.io/briefs/2026-07-kali-forms-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - Kali Forms - Contact Form \u0026 Drag-and-Drop Builder (\u003c= 2.4.18)","version":"https://jsonfeed.org/version/1.1"}