Critical WordPress Plugin Flaws Expose Sites to RCE and Privilege Escalation
Two high-severity vulnerabilities have been disclosed in widely deployed WordPress plugins, exposing internet-facing sites to unauthenticated compromise. CVE-2026-3584 affects Kali Forms through version 2.4.9 and allows remote code execution because user-controlled input can be mapped into internal placeholder storage and later invoked via call_user_func in the form_process path. The issue is classified as CWE-94 and carries a CVSS 3.1 score with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating critical impact on confidentiality, integrity, and availability.
A second flaw, CVE-2026-4038, affects Aimogen Pro through version 2.7.5 and enables unauthenticated privilege escalation through an arbitrary function call in aiomatic_call_ai_function_realtime caused by a missing capability check. According to the disclosure, attackers can invoke WordPress functions such as update_option to change the default registration role to administrator and enable user registration, effectively creating a path to full site takeover. The vulnerability is tracked as CWE-862 and was likewise rated with a high-impact CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Timeline
Mar 20, 2026
CVE-2026-4038 published for Aimogen Pro privilege escalation
CVE-2026-4038 was publicly listed as a high-severity vulnerability affecting Aimogen Pro versions up to 2.7.5. It was classified as CWE-862 with a CVSS v3.1 vector showing unauthenticated privilege-escalation impact across confidentiality, integrity, and availability.
Mar 20, 2026
CVE-2026-3584 published for Kali Forms unauthenticated RCE
CVE-2026-3584 was publicly listed as a critical vulnerability affecting Kali Forms versions up to 2.4.9. It was classified as CWE-94 with a high-impact CVSS v3.1 vector indicating unauthenticated remote code execution risk.
Mar 20, 2026
Wordfence receives CVE-2026-4038 report for Aimogen Pro privilege escalation
Wordfence received a report on an arbitrary function call vulnerability in the WordPress Aimogen Pro plugin affecting versions up to and including 2.7.5. The missing capability check in aiomatic_call_ai_function_realtime allows unauthenticated attackers to invoke WordPress functions and escalate privileges, such as by enabling registration and setting the default role to administrator.
Mar 20, 2026
Wordfence receives CVE-2026-3584 report for Kali Forms RCE
Wordfence received a report on a remote code execution vulnerability in the WordPress Kali Forms plugin affecting versions up to and including 2.4.9. The flaw stems from unsafe handling in form_process and prepare_post_data that can let unauthenticated attackers reach call_user_func with user-controlled input.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Critical WordPress Form Plugin Flaws Enable Unauthenticated Server Compromise
Two high-severity vulnerabilities were disclosed in widely used WordPress form plugins, exposing sites to unauthenticated attacks that can lead to full server compromise. **CVE-2026-4347** affects **MW WP Form** through version `5.1.0` and stems from insufficient file path validation in `generate_user_filepath` and `move_temp_file_to_upload_dir`. An attacker can move arbitrary files on the server without authentication, and if a sensitive file such as `wp-config.php` is relocated, the flaw can be leveraged for remote code execution. Exploitation requires a form with a file upload field and the **Saving inquiry data in database** option enabled; the issue is tracked as **CWE-22**.
3 weeks ago
Critical WordPress Plugin Vulnerabilities Enable Account Takeover and Privilege Escalation
Multiple high-severity vulnerabilities were disclosed across popular **WordPress plugins**, creating pathways to account takeover, privilege escalation, and sensitive data exposure. The most severe issue, **CVE-2025-15521** in *Academy LMS* (<= `3.5.0`), allows **unauthenticated administrator account takeover** because the plugin’s password update flow relies on a **publicly exposed WordPress nonce** as authorization rather than validating user identity; *Wordfence* reported observing exploitation attempts in the wild and blocking dozens of attacks in a 24-hour period. Additional disclosures affect other plugins with different exploitation prerequisites and impacts. **CVE-2026-0726** in *Nexter Extension – Site Enhancements Toolkit* (<= `4.4.6`) is an **unauthenticated PHP object injection** via `nxt_unserialize_replace`, but it requires a usable **POP chain** from another installed plugin/theme to reach file deletion, data theft, or code execution. **CVE-2025-15347** in *Creator LMS* (<= `1.1.12`) enables **authenticated (Contributor+)** attackers to update arbitrary WordPress options due to a missing capability check, potentially leading to privilege escalation or site compromise. **CVE-2025-14977** in *Dokan* (<= `4.2.4`) is an **IDOR** in the `/wp-json/dokan/v1/settings` REST endpoint that lets **authenticated (Customer+)** users read/modify other vendors’ settings, including changing PayPal payout emails and accessing bank/payment details, enabling fraud and sensitive information disclosure.
1 months ago
Unauthenticated Privilege Escalation in WordPress *Advanced Custom Fields: Extended* (CVE-2025-14533)
A critical vulnerability, **CVE-2025-14533**, was disclosed in the WordPress plugin *Advanced Custom Fields: Extended* affecting versions **<= 0.9.2.1**. The issue is an **unauthenticated privilege escalation** in the plugin’s user-form handling, where the `insert_user` logic does not properly restrict which roles can be assigned during registration; as a result, an attacker can submit a registration request specifying the **`administrator`** role and obtain full administrative access under certain configurations. Reporting indicates exploitation depends on site configuration: the flaw is reachable when a form is set up such that the **`role`** value is mapped to a custom field / user role field is present in the form. The weakness was identified by **Andrea Bocchetti** via the **Wordfence Bug Bounty Program**, and is associated with **CWE-269 (Improper Privilege Management)**; once admin access is obtained, attackers can fully compromise the site (e.g., upload malicious plugins/themes, plant backdoors, or alter content for redirects).
1 months ago