Attackers Actively Exploiting Critical Vulnerability in Kali Forms Plugin

If your website runs the Kali Forms plugin, you need to stop and read this. On 2nd March 2026, a Remote Code Execution vulnerability was reported through Wordfence’s Bug Bounty Programme in Kali Forms, a plugin with more than 10,000 active installations. This is not a theoretical risk sitting in a researcher’s report. Attackers are actively exploiting it right now, and sites that remain unpatched are sitting targets.

Remote Code Execution — RCE — means an attacker can run their own code on your server without any prior access to your site. No login required. No invitation. They simply send a crafted request, and your server executes whatever they instruct it to. From that point forward, your site is no longer yours.

What Attackers Actually Do Once They Are In

Business owners sometimes hear the word “vulnerability” and picture something abstract. The reality is considerably more concrete. Once a WordPress plugin flaw is exploited, attackers gain full administrative control, enabling them to install or modify plugins, access and steal stored user data, alter website content, create hidden admin accounts, plant backdoors for persistent future access, and redirect visitors to phishing pages or malware delivery sites.

Think about what that means in practice for your business:

• Customer data stolen. Contact forms, enquiry submissions, order records — anything stored in your database can be extracted. Depending on what data you hold, that is a potential GDPR breach, with the regulatory and reputational consequences that follow.
• Your website defaced or weaponised. Attackers can replace your content entirely, or more insidiously, leave your site looking normal whilst running hidden malicious code beneath the surface.
• Backdoors planted. Even if you clean up and patch, attackers routinely install hidden access points before they leave. Without a thorough audit, patching the plugin alone does not guarantee you are clean.
• Visitors redirected. Your customers arrive at your site and are sent straight to a phishing page or malware distribution site. They associate that experience with your brand, not with an anonymous attacker.

This is not scaremongering. These are the documented, standard behaviours of attackers once they have administrative access to a WordPress installation.

It is also worth placing this in a broader context. The pattern of critical WordPress plugin vulnerabilities is not slowing down. A critical vulnerability rated CVSS 9.8 in the OttoKit WordPress plugin, installed on over 100,000 sites, is also being actively exploited. A CVSS score of 9.8 out of 10 represents near-maximum severity. These are not edge cases. They are a recurring feature of the plugin ecosystem, and any business running WordPress without a proactive security posture is routinely exposed to exactly this kind of risk.

Why Patching Quickly Is the Only Acceptable Response

There is a persistent assumption amongst site owners that once a patch is released, the immediate danger passes. The evidence does not support that assumption. Research from Qualys found that 85% of vulnerable assets remain unpatched at the point of public disclosure, 33% are still unpatched at 21 days, and 12% remain exposed after 90 days.

Attackers know this. The moment a vulnerability is publicly disclosed, automated scanning tools begin probing every reachable installation. The window between disclosure and active exploitation is measured in hours, not weeks. Waiting until your next scheduled maintenance cycle, or until someone on your team finds a spare moment, is not a viable approach when the vulnerability in question allows complete server compromise without authentication.

The risk picture is further complicated by the nature of some attacks in the WordPress ecosystem. In one documented supply chain attack pattern, threat actors purchased trusted WordPress plugins with established install bases, inherited commit access, and injected malicious code — with affected sites requiring a full cleanup well beyond simply patching the plugin. This is a reminder that compromise is not always visible at the surface level, and that remediation sometimes requires considerably more than updating a version number.

If you are running Kali Forms, the immediate actions are straightforward:

1. Check your installed plugins now and confirm whether Kali Forms is present.
2. If it is, update to the latest available version immediately. If no patched version is available, deactivate and remove the plugin without delay.
3. Review your site for signs of compromise — unexpected admin accounts, unfamiliar files, or any changes to your site’s behaviour or content.
4. Do not assume that updating the plugin alone is sufficient if your site was exposed during the period of active exploitation. A proper security audit is warranted.

The longer question this situation raises is whether reactive patching is the right model for your business at all. A managed WordPress security arrangement means vulnerabilities are monitored continuously, updates are applied promptly, and your site is audited regularly for signs of compromise — before a researcher’s disclosure report becomes tomorrow’s breach. If you are a business owner whose website carries real commercial weight, that is a conversation worth having.

If you would like a straightforward assessment of your current WordPress security posture, or help with an urgent remediation, get in touch with me at The WordPress Guy. This is exactly the kind of situation I work with business owners to resolve.