Cyber Resilience

CVE-2026-3584

CriticalRCE

Published: 20 March 2026

Published
20 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0724 93.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-3584 is a critical-severity Code Injection (CWE-94) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The Kali Forms plugin for WordPress is vulnerable to remote code execution in all versions through 2.4.9. The flaw resides in the form_process function, where prepare_post_data maps attacker-controlled keys directly into internal placeholder storage that is later passed to call_user_func, enabling arbitrary PHP execution. The issue is tracked as CVE-2026-3584 with a CVSS 3.1 score of 9.8 and is associated with CWE-94.

Unauthenticated attackers can exploit the vulnerability over the network by submitting specially crafted form data that populates the placeholders with callable values. Successful exploitation grants the attacker the ability to run arbitrary code on the server, resulting in full compromise of confidentiality, integrity, and availability.

Public references include the vulnerable code path in the plugin repository, a WordPress Trac changeset that addresses the issue, and a detailed entry from Wordfence threat intelligence, indicating that administrators should apply the available update to resolve the exposure. The EPSS score has reached a peak of 0.3386 with a current value of 0.2873.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined…

more

with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an unauthenticated remote code execution in a WordPress plugin, directly enabling exploitation of a public-facing web application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-40563Shared CWE-94
CVE-2024-32641Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-2052Shared CWE-94
CVE-2026-9170Shared CWE-94
CVE-2025-54451Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2025-22204Shared CWE-94

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the root cause by requiring validation and sanitization of all user-supplied form keys before they are stored in placeholders or passed to call_user_func.

prevent

Mandates prompt application of the available plugin update that removes the unsafe prepare_post_data mapping and call_user_func usage.

prevent

Restricts the set of permitted PHP functions and modules so that dangerous callables cannot be invoked even if attacker-controlled placeholders reach call_user_func.

References