Unauthenticated RCE in Kali Forms for WordPress

The repository is a small standalone exploit project with two files: a long README and a Python script, mass_scanner.py. The README documents CVE-2026-3584, describing an unauthenticated RCE and privilege-escalation issue in the WordPress Kali Forms plugin <= 2.4.9 via the publicly exposed AJAX action kaliforms_form_process. It explains the attack chain: send POST requests to /wp-admin/admin-ajax.php with action=kaliforms_form_process and attacker-controlled fields such as data[thisPermalink] or data[entryCounter] to invoke arbitrary PHP callbacks, including phpinfo() for code execution validation and wp_set_auth_cookie for session creation. The Python code is the operational component. It is a multithreaded mass scanner that accepts a file of targets, normalizes URLs by probing HTTPS/HTTP, and uses requests plus BeautifulSoup for reconnaissance and exploitation workflow. Based on the visible code and README description, the scanner performs several stages: WordPress REST API enumeration through /wp-json/wp/v2/users and /wp-json/wp/v2/posts, site crawling/form discovery, exploitation attempts against the vulnerable AJAX endpoint, and post-exploitation handling of WordPress cookies. It creates result and result_cookie directories, logs progress in a thread-safe way, tracks scan statistics, and writes per-host HTTP request templates containing harvested cookies for direct reuse against /wp-admin/. This is not merely a detector: it is intended to exploit targets at scale. Its main capabilities are reconnaissance of WordPress targets, identification of likely vulnerable Kali Forms deployments, unauthenticated callback execution through the plugin’s form_process logic, and privilege escalation by generating valid WordPress auth cookies. The code appears to be a standalone Python PoC/operational scanner rather than part of a larger exploit framework.