Back to overview

CVE-2026-11580

Description
The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not perform a per-object capability check in its post-duplication AJAX action, allowing users with Contributor-level access or above to duplicate any post (regardless of owner, post type, or status) into a published post they own and read its private post metadata, including secrets stored by other Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17.

Metadata

CVE ID
CVE-2026-11580
State
PUBLISHED
Assigner
WPScan
Reserved
2026-06-08 11:58 UTC
Published
2026-07-15 06:00 UTC
Last updated
2026-07-15 06:00 UTC
Vendor / Product
Unknown / Kali Forms — Contact Form & Drag-and-Drop Builder
Sources
cve.org  ·  NVD

Severity & Metrics

No CVSS data available.

Affected products (1)
VendorProductPlatformVersions
Unknown Kali Forms — Contact Form & Drag-and-Drop Builder 0 < 2.4.17
Weakness (CWE)
CWESourceDescription
cna CWE-639 Authorization Bypass Through User-Controlled Key
Back to overview