CVE-2026-4257

CRITICAL NUCLEI

Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality

Title source: cna

Description

The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in all versions up to, and including, 1.7.36. This is due to the plugin using the Twig `Twig_Loader_String` template engine without sandboxing, combined with the `cfsPreFill` prefill functionality that allows unauthenticated users to inject arbitrary Twig expressions into form field values via GET parameters. This makes it possible for unauthenticated attackers to execute arbitrary PHP functions and OS commands on the server by leveraging Twig's `registerUndefinedFilterCallback()` method to register arbitrary PHP callbacks.

Exploits (2)

nomisec WORKING POC
by 0xgh057r3c0n · poc
https://github.com/0xgh057r3c0n/CVE-2026-4257
nomisec WORKING POC
by bootstrapbool · poc
https://github.com/bootstrapbool/cve-2026-4257

Nuclei Templates (1)

WordPress Contact Form by Supsystic - Server-Side Template Injection
CRITICALVERIFIEDby theamanrawat
Shodan: http.component:"WordPress"

References (3)

Scores

CVSS v3 9.8
EPSS 0.2424
EPSS Percentile 96.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-94
Status published
Products (1)
supsysticcom/Contact Form by Supsystic < 1.7.36
Published Mar 30, 2026
Tracked Since Mar 31, 2026