An unauthenticated remote code execution vulnerability in the Formie Craft CMS plugin allows attackers to compromise the underlying server by injecting malicious Twig expressions.

The plugin fails to properly sanitize user input in hidden form fields configured with "Custom" default values. An unauthenticated attacker can submit crafted values that are evaluated as Twig code during submission processing, leading to arbitrary code execution.

With a CVSS score of 9.8, this vulnerability represents a critical risk to site integrity. Successful exploitation allows an attacker to execute arbitrary code on the hosting server, potentially leading to full site compromise, unauthorized data exfiltration, or complete system takeover.

Immediate Action: Upgrade the Formie plugin to version 2.2.20 or 3.1.24 immediately to patch the template evaluation logic.

Proactive Monitoring: Monitor server logs for unexpected execution errors or unauthorized file access attempts originating from the plugin's submission endpoints.

Compensating Controls: Implement strict input validation at the Web Application Firewall (WAF) level to block requests containing common Twig syntax or suspicious template injection patterns.

Public Exploit Available: No data available.

Given the critical nature of this RCE, administrators should treat this as a high-priority update. Ensure that all instances of the Formie plugin are patched immediately to prevent attackers from leveraging this entry point to gain control over the Craft CMS environment.