Critical WordPress Plugin Flaws Expose Sites to RCE and Privilege Escalation
Two high-severity vulnerabilities have been disclosed in widely deployed WordPress plugins, exposing internet-facing sites to unauthenticated compromise. CVE-2026-3584 affects Kali Forms through version 2.4.9 and allows remote code execution because user-controlled input can be mapped into internal placeholder storage and later invoked via call_user_func in the form_process path. The issue is classified as CWE-94 and carries a CVSS 3.1 score with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating critical impact on confidentiality, integrity, and availability.
A second flaw, CVE-2026-4038, affects Aimogen Pro through version 2.7.5 and enables unauthenticated privilege escalation through an arbitrary function call in aiomatic_call_ai_function_realtime caused by a missing capability check. According to the disclosure, attackers can invoke WordPress functions such as update_option to change the default registration role to administrator and enable user registration, effectively creating a path to full site takeover. The vulnerability is tracked as CWE-862 and was likewise rated with a high-impact CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-4038 published for Aimogen Pro privilege escalation
CVE-2026-4038 was publicly listed as a high-severity vulnerability affecting Aimogen Pro versions up to 2.7.5. It was classified as CWE-862 with a CVSS v3.1 vector showing unauthenticated privilege-escalation impact across confidentiality, integrity, and availability.
CVE-2026-3584 published for Kali Forms unauthenticated RCE
CVE-2026-3584 was publicly listed as a critical vulnerability affecting Kali Forms versions up to 2.4.9. It was classified as CWE-94 with a high-impact CVSS v3.1 vector indicating unauthenticated remote code execution risk.
Wordfence receives CVE-2026-4038 report for Aimogen Pro privilege escalation
Wordfence received a report on an arbitrary function call vulnerability in the WordPress Aimogen Pro plugin affecting versions up to and including 2.7.5. The missing capability check in aiomatic_call_ai_function_realtime allows unauthenticated attackers to invoke WordPress functions and escalate privileges, such as by enabling registration and setting the default role to administrator.
Wordfence receives CVE-2026-3584 report for Kali Forms RCE
Wordfence received a report on a remote code execution vulnerability in the WordPress Kali Forms plugin affecting versions up to and including 2.4.9. The flaw stems from unsafe handling in form_process and prepare_post_data that can let unauthenticated attackers reach call_user_func with user-controlled input.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2026-4038 - Aimogen Pro <= 2.7.5 - Unauthenticated Privilege Escalation via Arbitrary Function Call
cvefeed.io
Open sourceCVE-2026-3584 - Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical WordPress Plugin Flaws Expose Sites to File Upload, SQL Injection, and Takeover
Multiple **WordPress plugins** were flagged for severe vulnerabilities that could let attackers take over sites through unauthenticated file upload, SQL injection, arbitrary file deletion, and authorization bypass. References point to issues in plugins including **WP Duplicate**, **Ninja Forms File Upload**, **Ultimate Member**, **Product Addons for WooCommerce**, **CleanTalk Spam Protect**, **Ally**, **Perfmatters**, and **Kali Forms**, alongside identifiers such as **`CVE-2024-48930`**, **`CVE-2025-13192`**, and **`CVE-2026-1104`**. Several flaws were described as allowing arbitrary plugin installation, malicious file upload, or direct database manipulation, creating a path to remote code execution and full site compromise. Wordfence reports indicate the exposure spans **hundreds of thousands of WordPress sites**, with some bugs already under **active exploitation**. The most serious cases include an unauthenticated SQL injection flaw in the **Ally** plugin affecting roughly **400,000 sites**, an arbitrary file deletion issue in **Perfmatters** affecting about **200,000 sites**, and active attacks targeting a critical flaw in **Kali Forms**. Taken together, the disclosures show a broad wave of high-impact plugin security failures that increase the risk of website defacement, malware deployment, data theft, and administrator-level compromise across the WordPress ecosystem.
May 25, 2026
Critical WordPress Form Plugin Flaws Enable Unauthenticated Server Compromise
Two high-severity vulnerabilities were disclosed in widely used WordPress form plugins, exposing sites to unauthenticated attacks that can lead to full server compromise. **CVE-2026-4347** affects **MW WP Form** through version `5.1.0` and stems from insufficient file path validation in `generate_user_filepath` and `move_temp_file_to_upload_dir`. An attacker can move arbitrary files on the server without authentication, and if a sensitive file such as `wp-config.php` is relocated, the flaw can be leveraged for remote code execution. Exploitation requires a form with a file upload field and the **Saving inquiry data in database** option enabled; the issue is tracked as **CWE-22**.
Apr 8, 2026
Critical WordPress Plugin Vulnerabilities Enable Account Takeover and Privilege Escalation
Multiple high-severity vulnerabilities were disclosed across popular **WordPress plugins**, creating pathways to account takeover, privilege escalation, and sensitive data exposure. The most severe issue, **CVE-2025-15521** in *Academy LMS* (<= `3.5.0`), allows **unauthenticated administrator account takeover** because the plugin’s password update flow relies on a **publicly exposed WordPress nonce** as authorization rather than validating user identity; *Wordfence* reported observing exploitation attempts in the wild and blocking dozens of attacks in a 24-hour period. Additional disclosures affect other plugins with different exploitation prerequisites and impacts. **CVE-2026-0726** in *Nexter Extension – Site Enhancements Toolkit* (<= `4.4.6`) is an **unauthenticated PHP object injection** via `nxt_unserialize_replace`, but it requires a usable **POP chain** from another installed plugin/theme to reach file deletion, data theft, or code execution. **CVE-2025-15347** in *Creator LMS* (<= `1.1.12`) enables **authenticated (Contributor+)** attackers to update arbitrary WordPress options due to a missing capability check, potentially leading to privilege escalation or site compromise. **CVE-2025-14977** in *Dokan* (<= `4.2.4`) is an **IDOR** in the `/wp-json/dokan/v1/settings` REST endpoint that lets **authenticated (Customer+)** users read/modify other vendors’ settings, including changing PayPal payout emails and accessing bank/payment details, enabling fraud and sensitive information disclosure.
Mar 21, 2026