The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-1860

CVE-2026-1860: Kali Forms IDOR Vulnerability in WordPress

CVE-2026-1860 is an Insecure Direct Object Reference flaw in Kali Forms for WordPress that lets authenticated attackers access sensitive form data. This article covers technical details, affected versions, impact, and mitigation.

Published: February 20, 2026

CVE-2026-1860 Overview

The Kali Forms plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability in all versions up to and including 2.4.8. The flaw exists in the get_items_permissions_check() permission callback on the /kaliforms/v1/forms/{id} REST API endpoint, which only verifies the edit_posts capability without confirming that the requesting user has ownership or authorization over the specific form resource being accessed.

This vulnerability enables authenticated attackers with Contributor-level access or above to read form configuration data belonging to other users, including administrators, by enumerating form IDs. Exposed data includes form field structures, Google reCAPTCHA secret keys (if configured), email notification templates, and server paths.

Critical Impact

Authenticated attackers can access sensitive form configuration data including reCAPTCHA secret keys, email templates, and server paths belonging to other users by exploiting broken access control in the REST API.

Affected Products

  • Kali Forms plugin for WordPress versions up to and including 2.4.8
  • WordPress installations with vulnerable Kali Forms versions
  • Sites with authenticated users having Contributor-level access or higher

Discovery Timeline

  • 2026-02-18 - CVE-2026-1860 published to NVD
  • 2026-02-18 - Last updated in NVD database

Technical Details for CVE-2026-1860

Vulnerability Analysis

This vulnerability is classified as CWE-862: Missing Authorization. The core issue stems from an incomplete authorization check in the Kali Forms REST API controller. When handling requests to the /kaliforms/v1/forms/{id} endpoint, the plugin's get_items_permissions_check() function validates that the requesting user possesses the edit_posts capability but fails to perform a crucial object-level authorization check.

In WordPress, the edit_posts capability is granted to users with Contributor role and above. While this capability check is appropriate for determining whether a user can create and edit their own posts, it is insufficient for protecting sensitive form resources that may belong to other users, including administrators.

The authorization gap allows any authenticated user meeting the minimum capability requirement to access arbitrary form configurations by simply iterating through form IDs in the REST API request. This represents a classic horizontal privilege escalation via Insecure Direct Object Reference.

Root Cause

The root cause is the absence of object-level authorization validation in the class-forms-rest-controller.php file. The permission callback relies solely on a capability-based check (edit_posts) rather than implementing proper resource ownership verification. The vulnerable code path can be traced through the REST controller implementation.

A secure implementation would verify that the requesting user either owns the form being requested or has explicit administrative privileges to access all forms. Without this check, the authorization boundary is effectively bypassed for any authenticated user with basic editing capabilities.

Attack Vector

The attack vector is network-based and requires low-privilege authentication. An attacker would first authenticate to a WordPress site with at least Contributor-level access. Once authenticated, the attacker can craft REST API requests to the vulnerable endpoint, systematically enumerating form IDs to discover and access form configurations belonging to other users.

The exploitation flow involves:

  1. Obtaining valid WordPress credentials for an account with edit_posts capability
  2. Sending authenticated requests to /wp-json/kaliforms/v1/forms/{id} with incrementing form IDs
  3. Parsing successful responses to extract sensitive configuration data including reCAPTCHA secrets, email notification settings, and server paths

Detection Methods for CVE-2026-1860

Indicators of Compromise

  • Unusual volume of REST API requests to /wp-json/kaliforms/v1/forms/ endpoints from a single user account
  • Sequential or systematic form ID enumeration patterns in access logs
  • Contributor or Author-level accounts accessing form resources they did not create
  • API requests returning form data containing reCAPTCHA secrets or sensitive configuration

Detection Strategies

  • Monitor WordPress REST API access logs for requests to /kaliforms/v1/forms/{id} endpoints with varying form IDs from non-administrator users
  • Implement alerting for failed authorization attempts or access to form resources outside a user's ownership scope
  • Review audit logs for patterns of systematic resource enumeration by low-privileged accounts
  • Deploy web application firewall rules to detect rapid sequential API requests to the vulnerable endpoint

Monitoring Recommendations

  • Enable detailed logging for WordPress REST API endpoints, particularly those related to form plugins
  • Establish baseline behavior for legitimate form access patterns and alert on deviations
  • Monitor for unauthorized access to sensitive configuration data in form responses
  • Implement rate limiting on REST API endpoints to slow enumeration attacks

How to Mitigate CVE-2026-1860

Immediate Actions Required

  • Update Kali Forms plugin to a version newer than 2.4.8 that includes the authorization fix
  • Review access logs for evidence of exploitation attempts targeting the vulnerable endpoint
  • Rotate any Google reCAPTCHA secret keys that may have been exposed through vulnerable forms
  • Audit Contributor-level and Author-level user accounts for suspicious activity

Patch Information

The vulnerability has been addressed in a subsequent version of the Kali Forms plugin. The security patch changeset implements proper object-level authorization checks to verify that requesting users have ownership or administrative access to the specific form resources they are attempting to access.

Organizations should update to the latest available version through the WordPress plugin repository. Additional technical details about this vulnerability are available in the Wordfence Vulnerability Report.

Workarounds

  • Temporarily disable the Kali Forms plugin until the patch can be applied if the forms are not business-critical
  • Restrict REST API access using security plugins or .htaccess rules to limit requests to the vulnerable endpoint
  • Remove unnecessary Contributor and Author accounts or temporarily demote them to Subscriber role
  • Implement additional authentication layers such as IP whitelisting for administrative WordPress functions
bash
# Restrict REST API access via .htaccess as a temporary mitigation
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^/wp-json/kaliforms/v1/forms/ [NC]
    RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.
    RewriteRule .* - [F,L]
</IfModule>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeInformation Disclosure
  • Vendor/TechWordpress
  • SeverityMEDIUM
  • CVSS Score4.3
  • EPSS Probability0.01%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-862
  • Technical References
  • WordPress Kali Forms Code Reference
  • WordPress Kali Forms Code Reference
  • WordPress Kali Forms Code Reference
  • WordPress Kali Forms Changeset
  • Wordfence Vulnerability Report
  • Related CVEs
  • CVE-2026-4338: ActivityPub WordPress Info Disclosure Flaw
  • CVE-2026-3594: Riaxe Product Customizer Info Disclosure
  • CVE-2026-4654: WordPress Awesome Support IDOR Vulnerability
  • CVE-2026-1233: WordPress TTS Plugin Info Disclosure Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English