A recently disclosed Kali Forms vulnerability affecting a widely used WordPress plugin has escalated into an active security threat, enabling unauthenticated attackers to achieve Remote Code Execution on affected websites. The flaw impacts Kali Forms, a drag-and-drop form builder with more than 10,000 active installations, and has already been exploited in the wild shortly after public disclosure.  Security researchers reported that the vulnerability was first submitted on March 2, 2026, through a bug bounty program, identifying a critical Remote Code Execution issue in the Kali Forms vulnerability chain. The vendor released a patched version on March 20, 2026, and the issue was simultaneously added to the Wordfence Intelligence database. On the same day, attackers began actively exploiting it on scale. 

Timeline of the Kali Forms Vulnerability in the WordPress Plugin Ecosystem 

The Kali Forms vulnerability followed a rapid disclosure-to-exploitation cycle: 

• March 2, 2026: Initial submission of the Remote Code Execution flaw via bug bounty reporting. 
• March 5, 2026: Wordfence Premium, Care, and Response users received firewall protection. 
• March 20, 2026: Patched version released; vulnerability publicly disclosed; attackers began exploiting the same day. 
• April 4, 2026: Free Wordfence users received delayed firewall protection. 
• April 4–10, 2026: Peak exploitation activity observed against the Kali Forms vulnerability. 

The patched release addressed the issue in version 2.4.10 of the WordPress plugin, while all versions up to and including 2.4.9 remained vulnerable. 

Technical Root Cause Behind the Kali Forms Vulnerability

The core of this WordPress plugin flaw lies in how user-supplied form data is processed and stored internally. The vulnerability resides in the form_process flow and the prepare_post_data() function, which incorrectly maps attacker-controlled input into internal placeholder storage without proper validation or allow-list restrictions.  These placeholders are later used in the _save_data() method, where unsafe execution occurs through call_user_func().  A simplified excerpt of the vulnerable logic includes: 

if (isset($this->placeholdered_data['{entryCounter}'])) {    $this->placeholdered_data['{entryCounter}'] =        call_user_func($this->placeholdered_data['{entryCounter}'], $this->post->ID); } 

Because the Kali Forms vulnerability allows attackers to fully control values like {entryCounter} and {thisPermalink}, an unauthenticated user can inject arbitrary PHP function names. These are then executed directly, resulting in Remote Code Execution (RCE) attacks.  Researchers noted that the lack of input restrictions in prepare_post_data() enables overwriting internal placeholders. As a result, attacker-controlled values flow directly into call_user_func(), making exploitation trivial once the request is submitted.  One observed abuse pattern demonstrates authentication bypass attempts using built-in WordPress functions. For example, attackers can assign: 

• {entryCounter} = wp_set_auth_cookie  

• formId = 1  

This leads to execution of wp_set_auth_cookie(1), which may log attackers in as the default administrator account if it exists, effectively turning the Kali Forms vulnerability into a full account takeover vector. 

Active Exploitation of the Kali Vulnerability in Real-world Attacks 

Telemetry from security monitoring shows that exploitation began immediately after disclosure. Attackers have been systematically targeting the WordPress plugin using automated requests to admin-ajax.php.  A representative exploit request includes: 

POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded action=kaliforms_form_process& data[formId]=1& data[nonce]=66ddddb2b7& data[entryCounter]=wp_set_auth_cookie 

This confirms how the Remote Code Execution flaw is triggered through manipulated form submission data.  Security systems recorded significant attack volume: 

• Over 312,200 exploit attempts were blocked targeting the Kali Forms vulnerability. 
• Heavy targeting was observed immediately after March 20, 2026 disclosure. 
• Increased spike in activity between April 4 and April 10, 2026. 

Top Attacking IP Addresses Observed 

Threat intelligence identified several IPs responsible for large-scale exploitation attempts: 

• 209.146.60.26 – over 152,000 blocked requests  
• 49.156.40.126 – over 50,000  
• 124.248.183.139 – over 26,000  
• 202.56.2.126 – over 14,000  
• 130.12.182.154 – over 11,000  
• 104.28.160.197 – over 9,000  
• 1.53.114.181 – over 5,700  
• 157.15.40.74 – over 3,000  
• 114.10.99.126 – over 2,500  
• 83.147.12.83 – over 1,300  

These sources were repeatedly associated with exploitation attempts targeting the Kali Forms vulnerability in the affected WordPress plugin. 

In an unusual development within the underground cyber world, a dark web article contest has been announced on a well-known dark web forum, TierOne forum. The initiative is backed by a $10,000 prize pool. The contest places a spotlight on technical writing centered around vulnerability exploitation, offering insight into how knowledge is shared and rewarded in these spaces.  Traditionally, dark web forums have been linked to illicit activities such as trading stolen data, coordinating ransomware attacks, and distributing malware. However, this contest introduces a different dynamic, one that mirrors legitimate cybersecurity ecosystems, where researchers document findings and share exploit techniques.  

The Dark Web Article Contest Overview and Prize Structure 

According to an official announcement shared by an administrator on the forum, the post states: “Всем привет! Мы рады сообщить T1 erone [КОНКУРС СТАТЕЙ #1 - 2026]. Победители конкурса получают призы: 1 место 5.000$, 2 место - 3.000$, 3 место - 2.000$, [Призовой фонд 10.000$]. Прием статей начинается 13.04.2026 и заканчивается 14.05.2026.”   The announcement indicates that the dark web article contest will run from April 13, 2026, to May 14, 2026, with prize amounts set at $5,000 for first place, $3,000 for second place, and $2,000 for third place, making up a total prize pool of $10,000, reportedly sponsored by the ransomware group cry0. 

Topics Focused on Vulnerability Exploitation 

The contest invites submissions covering a wide range of advanced topics related to vulnerability exploitation with real-world applicability. These include: 

• Remote Code Execution (RCE) through deserialization flaws in React and Node.js frameworks. 
• Command injection attacks in APIs and backend systems. 
• Insecure Direct Object Reference (IDOR) vulnerabilities in SaaS platforms. 
• Server-Side Template Injection (SSTI) in modern templating engines. 
• Exploitation of insecure deserialization in PHP and Java. 
• Client-side RCE via Markdown or Office file rendering. 
• Firmware attacks targeting routers and cameras. 
• Privilege escalation techniques in RouterOS and similar systems. 
• Exploitation methods for products from Cisco, MikroTik, Oracle, and Ubiquiti. 
• Zero-day discovery in browser components like WebGPU and Blink. 
• AI-assisted vulnerability discovery and reverse engineering. 
• Techniques for bypassing AV and EDR security systems. 
• Exploitation of Remote Procedure Call (RPC) mechanisms. 

For context, vulnerabilities such as RCE, IDOR, and SSTI allow attackers to execute arbitrary code or access restricted data, while firmware attacks enable persistent control over hardware devices. Similarly, AV/EDR bypass techniques are designed to evade detection by modern security solutions. 

Participation Rules and Requirements 

The TierOne forum has outlined strict guidelines for participants. Articles must be published within the forum’s designated section and include a specific prefix to qualify: 

• Submissions must be posted under the Articles section with the prefix “[Contest]”. 
• A link to the article must be shared in the contest thread with a participation note. 
• All users are eligible, regardless of registration date or activity level. 
• The use of multiple accounts is strictly prohibited. 

In addition, the contest enforces content quality standards: 

• Articles must be original and based on the author’s own experience. 
• Copy-pasted or reposted material is not allowed. 
• Submissions should comprehensively cover the chosen topic, including tools, techniques, and methodologies. 
• Minimum length requirement is at least one A4 page. 
• Excessive filler content is discouraged. 
• Including video demonstrations may improve chances of winning. 

A Glimpse into Dark Web Knowledge Sharing 

While the existence of such a contest may seem surprising, it notes a bigger trend within dark web forums. Beyond illegal marketplaces and data trading, these platforms also function as hubs for technical exchange, where members document and refine vulnerability exploitation techniques. In many ways, the structure resembles legitimate bug bounty programs and penetration testing workflows, where cybersecurity professionals publish detailed reports on discovered flaws. The key difference lies in the intent and environment in which this knowledge is applied. It is important to note that this article does not endorse participation in such activities. Instead, it aims to shed light on how these underground ecosystems operate. The TierOne forum contest highlights that even within the dark web, there are organized efforts to produce structured, experience-based technical content, albeit in a context that raises ethical and legal concerns.