CVE-2020-36712 HIGH

CVE-2020-36712: Kali Forms <= 2.1.1 - Unauthenticated Arbitrary Post Deletion

Vendor Wpchill
Product Kali Forms — Contact Form & Drag-and-Drop Builder
Weakness CWE-862 · Missing authorization
Published June 7, 2023
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

What the vulnerability does

01Description

The Kali Forms plugin for WordPress is vulnerable to Unauthenticated Arbitrary Post Deletion in versions up to, and including, 2.1.1. This is due to the kaliforms_form_delete_uploaded_file function lacking any privilege or user protections. This makes it possible for unauthenticated attackers to delete any site post or page with the id parameter.

Key dates

02Disclosure timeline

June 7, 2023 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-3138 Product Filter for WooCommerce by WBW <= 3.1.2 - Missing Authorization to Unauthenticated Filter Data Deletion via TRUNCATE TABLE CVE-2025-12027 Mesmerize Companion <= 1.6.158 - Missing Authorization Authenticated (Subscriber+) Settings Update CVE-2026-32385 WordPress RegistrationMagic plugin <= 6.0.7.6 - Broken Access Control vulnerability CVE-2025-57985 WordPress Ultimate Watermark Plugin <= 1.1 - Broken Access Control Vulnerability CVE-2026-28555 wpForo Forum 2.4.14 Missing Authorization via Topic Close AJAX Handler