Unauthenticated attackers can achieve full server compromise by exploiting a Remote Code Execution (RCE) vulnerability in the Kali Forms WordPress plugin.

This critical RCE vulnerability exists in the form_process function due to the prepare_post_data function mapping user-supplied keys directly into internal storage. When combined with the insecure use of call_user_func on these values, unauthenticated attackers can trigger arbitrary PHP code execution.

An RCE vulnerability is the most severe type of security flaw, as it allows an attacker to take complete control of the web server. This can lead to total data theft, website defacement, and the use of the server as a pivot point for further internal network attacks. The CVSS score of 9.8 underscores the extreme urgency of this issue.

Immediate Action: Update the Kali Forms plugin to the latest patched version (2.5.0 or higher) immediately. If a patch is unavailable, deactivate and remove the plugin.

Proactive Monitoring: Scan for suspicious PHP files in the WordPress uploads and plugin directories and review web server access logs for unusual POST requests to the Kali Forms endpoints.

Compensating Controls: Utilize a Web Application Firewall (WAF) with generic RCE protection rules to block malicious payloads targeting PHP functions like call_user_func.

Public Exploit Available: false

Due to the critical nature of unauthenticated Remote Code Execution, this vulnerability must be addressed with the highest priority. Administrators should update the Kali Forms plugin immediately and conduct a thorough security audit of the WordPress environment to ensure no backdoors were established.