<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Kali Forms - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/kali-forms/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 17 Jul 2026 04:18:39 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/kali-forms/feed.xml" rel="self" type="application/rss+xml"/><item><title>Kali Forms WordPress Plugin Vulnerable to Stored Cross-Site Scripting via digitalSignature Field</title><link>https://feed.craftedsignal.io/briefs/2026-07-kali-forms-xss/</link><pubDate>Fri, 17 Jul 2026 04:18:39 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-kali-forms-xss/</guid><description>The Kali Forms - Contact Form &amp; Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'digitalSignature' field in versions up to and including 2.4.18, allowing unauthenticated attackers to inject arbitrary web scripts that execute when a user accesses an affected page.</description><content:encoded><![CDATA[<p>The Kali Forms - Contact Form &amp; Drag-and-Drop Builder plugin for WordPress, a widely used tool for creating customizable contact forms, is susceptible to a critical Stored Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-15395. This flaw affects all plugin versions up to and including 2.4.18. The vulnerability stems from insufficient input sanitization and output escaping, specifically impacting the 'digitalSignature' field. This design oversight enables unauthenticated attackers to embed arbitrary web scripts into form submissions. Crucially, the form-submission nonce, a security token typically required for form validity, is publicly available on any page hosting a Kali Forms shortcode. This accessibility streamlines exploitation for attackers, allowing them to bypass authentication requirements and inject malicious scripts that execute whenever a legitimate user, such as a site administrator, views the compromised pages or submitted form entries. The broad usage of the plugin makes this a significant concern for WordPress site owners.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a WordPress website utilizing the Kali Forms plugin.</li>
<li>The attacker browses the website to locate a publicly accessible page that displays a Kali Forms shortcode.</li>
<li>The attacker extracts the necessary form-submission nonce, which is publicly available in the page's source code or network traffic, without requiring authentication.</li>
<li>The attacker crafts a malicious HTTP POST request targeting the Kali Forms submission endpoint, embedding the extracted nonce.</li>
<li>Within this crafted POST request, the attacker injects arbitrary web scripts (e.g., <code>&lt;script&gt;alert('XSS')&lt;/script&gt;</code>) into the vulnerable 'digitalSignature' field.</li>
<li>The malicious form data, including the embedded script, is submitted and stored by the Kali Forms plugin.</li>
<li>A legitimate user, such as a website administrator, later accesses the backend or a frontend page where this stored form submission data is rendered.</li>
<li>The injected web script executes within the victim's browser, potentially leading to session hijacking, defacement of the website, credential theft, or redirection to malicious sites.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-15395 can lead to significant compromise of the affected WordPress website and its users. Attackers can execute arbitrary JavaScript in the context of the victim's browser, which can include session hijacking, allowing them to take over administrator accounts, defacing website content, redirecting users to malicious sites, or stealing sensitive user data like login credentials or personal information. Due to the unauthenticated nature of the vulnerability and the public availability of the nonce, a wide range of WordPress sites using the Kali Forms plugin are at risk if not updated. The CVSS v3.1 Base Score of 7.2 reflects the high severity and potential for widespread damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Update the Kali Forms - Contact Form &amp; Drag-and-Drop Builder plugin to version 2.4.19 or higher immediately to patch CVE-2026-15395.</li>
<li>Deploy the Sigma rule &quot;Detect Possible Kali Forms XSS Exploitation Attempts&quot; to your SIEM to identify attempts at injecting malicious scripts through web requests.</li>
<li>Review webserver access logs and internal application logs for patterns indicating XSS injection attempts in form submission data, especially for parameters related to the <code>digitalSignature</code> field.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>xss</category><category>web-vulnerability</category><category>stored-xss</category></item></channel></rss>