A recently disclosed Kali Forms vulnerability affecting a widely used WordPress plugin has escalated into an active security threat, enabling unauthenticated attackers to achieve Remote Code Execution on affected websites. The flaw impacts Kali Forms, a drag-and-drop form builder with more than 10,000 active installations, and has already been exploited in the wild shortly after public disclosure. 

Security researchers reported that the vulnerability was first submitted on March 2, 2026, through a bug bounty program, identifying a critical Remote Code Execution issue in the Kali Forms vulnerability chain. The vendor released a patched version on March 20, 2026, and the issue was simultane...