Contact Form by Supsystic WordPress Plugin Server-Side Template Injection Vulnerability Allowing Remote Code Execution

A vulnerability allowing server-side template injection (SSTI) has been identified in the Contact Form by Supsystic plugin for WordPress, affecting all versions through 1.7.36. The issue arises from the plugin's use of the Twig template engine, specifically the 'Twig_Loader_String' loader, without proper sandboxing. This vulnerability is exploited through the 'cfsPreFill' functionality, which allows unauthenticated users to inject arbitrary Twig expressions into form fields via GET parameters. By leveraging Twig's capabilities, attackers can execute arbitrary PHP functions and operating system commands on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the affected WordPress site is hosted.

Reproduction

To reproduce this vulnerability, an unauthenticated user can send a GET request to a WordPress site with the Contact Form by Supsystic plugin installed. The request must include the 'cfsPreFill' parameter with a crafted Twig expression that exploits the vulnerability. The injected expression will be executed on the server, allowing for remote code execution.

Remediation

Users are advised to update the Contact Form by Supsystic plugin to version 1.8.0 or later, where this vulnerability has been patched.