WP-Safety

Kali Forms — Contact Form & Drag-and-Drop Builder Security & Risk Analysis

wordpress.org/plugins/kali-forms

Build contact forms for your WordPress website in minutes through the Drag & Drop builder and Guided Emails for entries notifications.

20K active installs v2.4.9 PHP 5.6+ WP + Updated Feb 12, 2026
contact-formform-builderformspayment-formstripe-payment
88
A · Safe
CVEs total10
Unpatched0
Last CVEFeb 17, 2026
Plugin page Download
Safety Verdict

Is Kali Forms — Contact Form & Drag-and-Drop Builder Safe to Use in 2026?

Generally Safe

Score 88/100

Kali Forms — Contact Form & Drag-and-Drop Builder has a strong security track record. Known vulnerabilities have been patched promptly.

10 known CVEsLast CVE: Feb 17, 2026Updated 1mo ago
Risk Assessment

The kali-forms plugin v2.4.9 presents a mixed security posture. While it demonstrates strong practices in using prepared statements for SQL queries and a high percentage of properly escaped output, significant concerns arise from its attack surface. A large number of AJAX handlers (28 out of 41) lack proper authentication checks, creating a substantial entry point for unauthorized actions. Additionally, the taint analysis reveals two flows with unsanitized paths, which, although not flagged as critical or high severity in this analysis, warrant careful investigation as they could be exploited if combined with specific attack vectors.

The plugin's vulnerability history, with 10 known CVEs primarily revolving around Cross-site Scripting and authorization issues, paints a concerning picture of past security weaknesses. The fact that there are currently no unpatched vulnerabilities is a positive sign, but the prevalence of high and medium severity past issues suggests a recurring pattern of authorization and input validation flaws. While the presence of nonce checks and capability checks are good, their effectiveness is diminished by the sheer number of unprotected AJAX endpoints.

In conclusion, kali-forms v2.4.9 has commendable aspects like secure SQL handling and output escaping. However, the significant number of unprotected AJAX handlers and the historical pattern of authorization and XSS vulnerabilities are major red flags. The taint analysis results, though currently low severity, should be viewed with caution given the plugin's history. This plugin requires careful monitoring and potentially further review of its unprotected entry points.

Key Concerns

  • High number of unprotected AJAX handlers
  • Taint analysis shows unsanitized paths
  • Vulnerability history includes high severity XSS and Auth bypass
  • Bundled library PHPMailer
Vulnerabilities
10

Kali Forms — Contact Form & Drag-and-Drop Builder Security Vulnerabilities

CVEs by Year

3 CVEs in 2020
2020
2 CVEs in 2023
2023
3 CVEs in 2024
2024
1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
4
Medium
6

10 total CVEs

CVE-2026-1860medium · 4.3Missing Authorization

Kali Forms <= 2.4.8 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Form Data Exposure

Feb 17, 2026 Patched in 2.4.9 (1d)
CVE-2025-3201medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form builder with drag & drop for WordPress – Kali Forms <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 25, 2025 Patched in 2.4.3 (50d)
CVE-2024-1217high · 7.6Missing Authorization

Contact Form builder with drag & drop for WordPress – Kali Forms <= 2.3.41 - Missing Authorization to Arbitrary Plugin Deactivation

Feb 19, 2024 Patched in 2.3.42 (2d)
CVE-2024-1218medium · 4.3Missing Authorization

Contact Form builder with drag & drop for WordPress – Kali Forms <= 2.3.41 - Missing Authorization

Feb 19, 2024 Patched in 2.3.42 (2d)
CVE-2024-22305medium · 6.5Authorization Bypass Through User-Controlled Key

Contact Form builder with drag & drop - Kali Forms <= 2.3.36 - Insecure Direct Object Reference

Jan 17, 2024 Patched in 2.3.37 (16d)
CVE-2023-46083medium · 5.3Missing Authorization

Contact Form builder with drag & drop - Kali Forms <= 2.3.27 - Missing Authorization via Contact Form

Oct 16, 2023 Patched in 2.3.28 (99d)
CVE-2023-45275medium · 6.5Missing Authorization

Contact Form builder with drag & drop - Kali Forms <= 2.3.28 - Missing Authorization via get_log

Oct 6, 2023 Patched in 2.3.29 (109d)
CVE-2020-36712high · 8.6Missing Authorization

Kali Forms <= 2.1.1 - Unauthenticated Arbitrary Post Deletion

Aug 21, 2020 Patched in 2.1.2 (1250d)
CVE-2020-36720high · 7.1Missing Authorization

Kali Forms <= 2.1.1 - Missing Authorization to Settings Update

Aug 21, 2020 Patched in 2.1.2 (1250d)
CVE-2020-36717high · 8.8Cross-Site Request Forgery (CSRF)

Kali Forms <= 2.1.1 - Cross-Site Request Forgery

Aug 21, 2020 Patched in 2.1.2 (1250d)
Code Analysis
Analyzed Mar 16, 2026

Kali Forms — Contact Form & Drag-and-Drop Builder Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
7 prepared
Unescaped Output
19
437 escaped
Nonce Checks
20
Capability Checks
16
File Operations
11
External Requests
10
Bundled Libraries
1

Bundled Libraries

PHPMailer

SQL Query Safety

100% prepared7 total queries

Output Escaping

96% escaped456 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
add_form_id_filter (Inc\Backend\Posts\class-submitted.php:171)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
28 unprotected

Kali Forms — Contact Form & Drag-and-Drop Builder Attack Surface

Entry Points43
Unprotected28

AJAX Handlers 41

authwp_ajax_kaliforms_set_form_themeInc\Backend\class-form-styles.php:39
authwp_ajax_kaliforms_reload_api_extensionsInc\Backend\class-hooks.php:58
noprivwp_ajax_kaliforms_reload_api_extensionsInc\Backend\class-hooks.php:62
authwp_ajax_kaliforms_update_option_ajaxInc\Backend\class-hooks.php:72
authwp_ajax_kaliforms_get_email_logInc\Backend\class-hooks.php:77
noprivwp_ajax_kaliforms_get_email_logInc\Backend\class-hooks.php:81
authwp_ajax_kaliforms_clear_logInc\Backend\class-hooks.php:86
authwp_ajax_kaliforms_get_gridInc\Backend\class-hooks.php:87
noprivwp_ajax_kaliforms_clear_logInc\Backend\class-hooks.php:88
noprivwp_ajax_kaliforms_update_option_ajaxInc\Backend\class-hooks.php:89
noprivwp_ajax_kaliforms_get_gridInc\Backend\class-hooks.php:90
authwp_ajax_kaliforms_set_form_themeInc\Backend\class-hooks.php:98
noprivwp_ajax_kaliforms_set_form_themeInc\Backend\class-hooks.php:102
authwp_ajax_kaliforms_dismiss_noticeInc\Backend\class-notifications.php:30
authwp_ajax_kaliforms_test_emailInc\Backend\class-plugin-health-checks.php:64
noprivwp_ajax_kaliforms_test_emailInc\Backend\class-plugin-health-checks.php:68
authwp_ajax_kaliforms_get_form_dataInc\Backend\class-predefined-forms.php:33
authwp_ajax_kaliforms_get_js_varInc\Backend\Posts\class-forms.php:100
noprivwp_ajax_kaliforms_get_js_varInc\Backend\Posts\class-forms.php:101
authwp_ajax_kaliforms_form_verify_productsInc\class-payments-simple.php:35
noprivwp_ajax_kaliforms_form_verify_productsInc\class-payments-simple.php:36
authwp_ajax_kaliforms_form_paypal_confirm_logInc\class-payments-simple.php:38
noprivwp_ajax_kaliforms_form_paypal_confirm_logInc\class-payments-simple.php:39
authwp_ajax_kaliforms_form_processInc\Frontend\class-form-processor.php:87
noprivwp_ajax_kaliforms_form_processInc\Frontend\class-form-processor.php:88
authwp_ajax_kaliforms_preflightInc\Frontend\class-form-processor.php:90
noprivwp_ajax_kaliforms_preflightInc\Frontend\class-form-processor.php:91
authwp_ajax_kaliforms_form_verify_recaptchaInc\Frontend\class-form-processor.php:93
noprivwp_ajax_kaliforms_form_verify_recaptchaInc\Frontend\class-form-processor.php:94
authwp_ajax_kaliforms_form_verify_turnstileInc\Frontend\class-form-processor.php:96
noprivwp_ajax_kaliforms_form_verify_turnstileInc\Frontend\class-form-processor.php:97
authwp_ajax_kaliforms_form_upload_fileInc\Frontend\class-form-processor.php:99
noprivwp_ajax_kaliforms_form_upload_fileInc\Frontend\class-form-processor.php:100
authwp_ajax_kaliforms_form_delete_uploaded_fileInc\Frontend\class-form-processor.php:102
noprivwp_ajax_kaliforms_form_delete_uploaded_fileInc\Frontend\class-form-processor.php:103
authwp_ajax_kaliforms_duplicate_postInc\Utils\class-duplicate-post.php:26
noprivwp_ajax_kaliforms_duplicate_postInc\Utils\class-duplicate-post.php:33
authwp_ajax_kaliforms_resend_emailsInc\Utils\class-submission-actions.php:30
noprivwp_ajax_kaliforms_resend_emailsInc\Utils\class-submission-actions.php:31
authwp_ajax_kaliforms_delete_submissionInc\Utils\class-submission-actions.php:33
noprivwp_ajax_kaliforms_delete_submissionInc\Utils\class-submission-actions.php:34

Shortcodes 2

[kaliform] Inc\Backend\Posts\class-forms.php:79
[kaliform-submission] Inc\Frontend\class-submission-shortcode.php:51
WordPress Hooks 51
actionwp_dashboard_setupInc\Backend\class-dashboard-widget.php:22
actionadmin_enqueue_scriptsInc\Backend\class-hooks.php:34
actioninitInc\Backend\class-hooks.php:40
filterplugin_action_links_kaliforms/kaliforms.phpInc\Backend\class-hooks.php:53
actioninitInc\Backend\class-hooks.php:67
actionsave_postInc\Backend\class-meta-save.php:40
actionadmin_noticesInc\Backend\class-notifications.php:28
actionadmin_enqueue_scriptsInc\Backend\class-plugin-deactivation.php:34
filtersite_status_testsInc\Backend\class-plugin-health-checks.php:54
actioninitInc\Backend\class-plugin-health-checks.php:58
actioninitInc\Backend\class-plugin-review.php:49
actionadmin_noticesInc\Backend\class-plugin-review.php:98
actionadmin_enqueue_scriptsInc\Backend\class-plugin-review.php:99
actioninitInc\Backend\Posts\class-forms.php:41
actionadd_meta_boxesInc\Backend\Posts\class-forms.php:43
actionadmin_enqueue_scriptsInc\Backend\Posts\class-forms.php:45
filterget_user_option_screen_layout_kaliforms_formsInc\Backend\Posts\class-forms.php:47
filterget_user_option_meta-box-order_kaliforms_formsInc\Backend\Posts\class-forms.php:54
filtermanage_edit-kaliforms_forms_columnsInc\Backend\Posts\class-forms.php:62
actionmanage_kaliforms_forms_posts_custom_columnInc\Backend\Posts\class-forms.php:69
actionadmin_headInc\Backend\Posts\class-forms.php:92
actionadmin_menuInc\Backend\Posts\class-forms.php:93
filterimage_size_names_chooseInc\Backend\Posts\class-forms.php:403
actioninitInc\Backend\Posts\class-submitted.php:39
filterquery_varsInc\Backend\Posts\class-submitted.php:40
actionpre_get_postsInc\Backend\Posts\class-submitted.php:41
filtermanage_edit-kaliforms_forms_columnsInc\Backend\Posts\class-submitted.php:42
actionmanage_kaliforms_forms_posts_custom_columnInc\Backend\Posts\class-submitted.php:43
actionrestrict_manage_postsInc\Backend\Posts\class-submitted.php:44
actionviews_edit-kaliforms_submittedInc\Backend\Posts\class-submitted.php:46
actionadmin_enqueue_scriptsInc\Backend\Posts\class-submitted.php:48
actionadmin_menuInc\Backend\Posts\class-submitted.php:56
filterviews_edit-kaliforms_submittedInc\Backend\Posts\class-submitted.php:58
filtermanage_edit-kaliforms_submitted_columnsInc\Backend\Posts\class-submitted.php:294
actionmanage_kaliforms_submitted_posts_custom_columnInc\Backend\Posts\class-submitted.php:295
actionadmin_initInc\Backend\Views\class-email-settings-page.php:28
actionadmin_enqueue_scriptsInc\Backend\Views\class-email-settings-page.php:32
actionadmin_enqueue_scriptsInc\Backend\Views\class-form-entries-page.php:32
actionplugins_loadedInc\class-kaliforms.php:64
actionadmin_headInc\class-kaliforms.php:65
actionrest_api_initInc\class-kaliforms.php:140
actionelementor/widgets/widgets_registeredInc\class-kaliforms.php:254
actionwp_enqueue_scriptsInc\Frontend\class-submission-shortcode.php:53
filterpost_row_actionsInc\Utils\class-duplicate-post.php:22
actionplugins_loadedInc\Utils\class-welcome-screen.php:23
actionadmin_menuInc\Utils\class-welcome-screen.php:41
actionadmin_headInc\Utils\class-welcome-screen.php:42
actionadmin_initInc\Utils\class-welcome-screen.php:43
actionkali_mail_failedInc\Utils\EmailUtilities\class-email-logger.php:47
actionwp_mail_failedInc\Utils\EmailUtilities\class-email-logger.php:48
actionkali_mail_successInc\Utils\EmailUtilities\class-email-logger.php:49
Maintenance & Trust

Kali Forms — Contact Form & Drag-and-Drop Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 12, 2026
PHP min version5.6
Downloads1.5M

Community Trust

Rating96/100
Number of ratings89
Active installs20K
Alternatives

Kali Forms — Contact Form & Drag-and-Drop Builder Alternatives

SureForms – Contact Form, Payment Form & Other Custom Form Builder

SureForms – Contact Form, Payment Form & Other Custom Form Builder

sureforms

A
88

The most beginner-friendly, AI Form Builder for WordPress to create contact forms, payment forms & other custom forms with advanced features, with &hellip;

400K 15 CVEs
FormFacade – Embed Google Forms in your website

FormFacade – Embed Google Forms in your website

formfacade

B
72

Embed Google Forms™ in your wordpress site

1K 1 unpatched
Paperform Form Builder – Contact Forms, Ecommerce And Product Pages, Surveys

Paperform Form Builder – Contact Forms, Ecommerce And Product Pages, Surveys

paperform-form-builder

A
85

Create beautiful branded online forms in Paperform and use this plugin to quickly and easily embed them on multiple WordPress pages and sites.

300 No CVEs
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

A
90

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 13 CVEs
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

B
82

Get a fast contact form plugin. Create advanced forms using drag and drop form builder with all smart features.

600K 27 CVEs
Developer Profile

Kali Forms — Contact Form & Drag-and-Drop Builder Developer Profile

WP Chill

29 plugins · 440K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
608 days
View full developer profile
Detection Fingerprints

How We Detect Kali Forms — Contact Form & Drag-and-Drop Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/kali-forms/assets/general/js/general.js/wp-content/plugins/kali-forms/assets/block/js/block.js/wp-content/plugins/kali-forms/assets/block/css/block.css
Version Parameters
kaliforms/assets/general/js/general.js?ver=kaliforms/assets/block/js/block.js?ver=kaliforms/assets/block/css/block.css?ver=

HTML / DOM Fingerprints

CSS Classes
kaliforms-container
Data Attributes
data-noncedata-kaliforms
JS Globals
KaliFormsGeneralObjectKaliForms
REST Endpoints
/wp-json/kaliforms
FAQ

Frequently Asked Questions about Kali Forms — Contact Form & Drag-and-Drop Builder