An unauthenticated Remote Code Execution vulnerability in the Supsystic Contact Form plugin allows attackers to take complete control of WordPress servers via malicious Twig expressions.

The plugin utilizes the Twig template engine without an active sandbox and exposes the vulnerable Twig_Loader_String method. This allows an unauthenticated attacker to use the cfsPreFill GET parameter to inject arbitrary Twig expressions, which can then be leveraged to execute PHP functions and OS commands.

The impact of this vulnerability is catastrophic, as it grants unauthenticated attackers the ability to execute arbitrary code on the underlying web server. This could lead to full site defacement, data theft, and the installation of persistent backdoors. A CVSS score of 9.8 reflects the maximum risk to confidentiality, integrity, and availability.

Immediate Action: Update the Contact Form by Supsystic plugin to the latest patched version (above 1.7.36) immediately to remove the insecure template loading functionality.

Proactive Monitoring: Scan web server logs for GET requests containing cfsPreFill followed by suspicious Twig syntax, such as {{, _self, or registerUndefinedFilterCallback.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules designed to detect and block Server-Side Template Injection (SSTI) patterns and unauthorized PHP function calls.

Public Exploit Available: No

Due to the unauthenticated nature of this RCE flaw, immediate action is required. Organizations should verify their plugin versions and apply the update today. If the plugin is no longer needed, it should be deactivated and deleted entirely to reduce the attack surface.