🚨 WordPress Security Brief — April 10, 2026: No New Disclosures, But Kali Forms Is Under Siege

The last 48 hours have been quiet on new WordPress vulnerability disclosures — no fresh CVEs from Wordfence, WPScan, Sucuri, or WordPress.org. But quiet doesn’t mean safe.

The Real Story: CVE-2026-3584 Exploitation Is Exploding

Kali Forms, a WordPress drag-and-drop form builder, contains one of the most aggressively exploited vulnerabilities active today. CVE-2026-3584 is a CVSS 9.8 unauthenticated Remote Code Execution flaw affecting all plugin versions up to and including 2.4.9.

How it works — in plain English:

You submit a contact form on any WordPress site running Kali Forms ≤ 2.4.9

The plugin takes your form input and passes it directly into PHP’s call_user_func() — a function that runs whatever name you give it

No login. No admin access. One request = full server takeover

How bad is it right now?

Exploitation began the same day the CVE was published — March 20, 2026

By March 30: attack attempts surged from 438 to 10,600+ — a 64× spike in one week

~15% of attacks routed through Tor to mask attacker IPs

Attackers are deploying webshells, credential stealers, and full admin takeovers

Don’t Sleep On This Either: Ninja Forms CVE-2026-0740

Ninja Forms – File Uploads (≤ 3.3.26) carries the same CVSS 9.8 score. Unauthenticated attackers can upload arbitrary files via an unprotected AJAX handler — instant RCE. Affects ~50,000 sites. Update to 3.3.27 immediately.

How SwissWPSuite (v2.9.27.61) Shields Your Sites

Threat Vector SwissWPSuite Defense Layer
Threat Vector SwissWPSuite Defense Layer
PHP webshell upload PHP-in-Uploads WAF blocking + .htaccess deny in /uploads WAF + Hardening
call_user_func RCE 38-pattern Command Injection detection in WAF (Pro) WAF L1
Webshell detection post-upload 18 filename patterns + 24 malware signature scans Sentinel M1-B/M1-C
Vulnerable plugin detection WPScan API CVE matching with version verification Sentinel M4-D2
IP-based attack campaigns Progressive IP banning (5 violations/10 min → 30-min ban) WAF IP Reputation
Admin takeover attempts Brute force lockout + TOTP-based 2FA (Pro) Login Security
Immediate Action Items:

Update Kali Forms to 2.4.10 right now — no exceptions

Update Ninja Forms – File Uploads to 3.3.27 if installed

Run a full SwissWPSuite Sentinel scan — M1 modules will flag any PHP files already dropped in /uploads

Enable PHP-in-Uploads hardening in SwissWPSuite (Pro) to block server-side PHP execution from the upload directory at the .htaccess level

Quiet periods = audit time — review admin accounts, check for excessive admin users (Sentinel M4-G2 flags this)