A critical Server-Side Template Injection (SSTI) vulnerability has been identified in the Freeform plugin for CraftCMS. This flaw allows authenticated users with editing permissions to inject and execute arbitrary code on the server, potentially leading to a full system compromise. Due to the high severity and the potential for complete data and system loss, immediate patching is required to mitigate this risk.

The vulnerability is a Server-Side Template Injection (SSTI) within the Freeform plugin for CraftCMS. The application fails to properly sanitize user-supplied input within fields that are processed by the server-side template engine. An authenticated attacker with permissions to edit Freeform components can submit a malicious payload containing template syntax, which is then executed by the server, resulting in arbitrary code execution with the permissions of the web server process.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the web server's confidentiality, integrity, and availability. Potential consequences include theft of sensitive data stored in the application (such as form submissions, customer PII, and database credentials), installation of malware or ransomware, defacement of the website, and using the compromised server as a pivot point for further attacks into the internal network.

Immediate Action: Immediately update the Freeform plugin on all CraftCMS instances to version 5.10.16 or a later, patched version as recommended by the vendor. After patching, review web server and application access logs for any signs of exploitation attempts that may have occurred prior to the update.

Proactive Monitoring: Monitor web server logs for suspicious POST requests to Freeform editing endpoints containing template syntax such as {{, {%, or other template-specific delimiters. Monitor system processes for unexpected commands being executed by the web server's user account (e.g., www-data, apache). Anomaly detection on outbound network traffic from the web server can also help identify potential post-exploitation activity.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Restrict access to the CraftCMS control panel, and specifically to Freeform editing functions, to only highly trusted administrators.
• Deploy a Web Application Firewall (WAF) with rulesets designed to detect and block common SSTI payloads.
• Temporarily disable the Freeform plugin if its functionality is not business-critical until patching can be completed.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) of this vulnerability, we strongly recommend that organizations prioritize the immediate application of the vendor-supplied patch to all affected systems. This vulnerability represents a significant and urgent threat to the security of any public-facing CraftCMS website using an affected version of the Freeform plugin. Although not currently listed on the CISA KEV catalog, its high impact makes it a prime target for threat actors, and patching should be treated as an emergency action.