CVE-2026-4257

CRITICAL NUCLEI

Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2026-4257. PoCs published by bootstrapbool, shootcannon, 0xgh057r3c0n, including Metasploit module exploits/multi/http/wp_plugin_supsystic_contact_form_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a Server-Side Template Injection (SSTI) vulnerability in WordPress Plugin Supsystic Contact Form <= 1.7.36. It crafts a Twig template payload to execute arbitrary commands via a vulnerable contact form field.

Description

The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in all versions up to, and including, 1.7.36. This is due to the plugin using the Twig `Twig_Loader_String` template engine without sandboxing, combined with the `cfsPreFill` prefill functionality that allows unauthenticated users to inject arbitrary Twig expressions into form field values via GET parameters. This makes it possible for unauthenticated attackers to execute arbitrary PHP functions and OS commands on the server by leveraging Twig's `registerUndefinedFilterCallback()` method to register arbitrary PHP callbacks.

Exploits (5)

exploitdb WORKING POC
by bootstrapbool · pythonwebappsmultiple
https://www.exploit-db.com/exploits/52564

This exploit demonstrates a Server-Side Template Injection (SSTI) vulnerability in WordPress Plugin Supsystic Contact Form <= 1.7.36. It crafts a Twig template payload to execute arbitrary commands via a vulnerable contact form field.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Plugin Supsystic Contact Form <= 1.7.36
No auth needed
Prerequisites: Access to a page with the vulnerable Contact Form component · A valid field name from the form
devstral-2 · analyzed May 15, 2026 Full analysis →
nomisec WORKING POC
by shootcannon · poc
https://github.com/shootcannon/CVE-2026-4257

This repository contains a functional exploit for CVE-2026-4257, demonstrating unauthenticated Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in Contact Form by Supsystic versions <= 1.7.36. The exploit leverages the prefill functionality to inject malicious templates and execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Contact Form by Supsystic <= 1.7.36
No auth needed
Prerequisites: URL of the vulnerable form page · Name of the form field to exploit
devstral-2 · analyzed May 11, 2026 Full analysis →
nomisec WORKING POC
by 0xgh057r3c0n · poc
https://github.com/0xgh057r3c0n/CVE-2026-4257

This repository contains a functional exploit for CVE-2026-4257, targeting a Server-Side Template Injection (SSTI) vulnerability in WordPress Contact Form 7. The exploit automates version detection, field identification, and payload delivery to achieve remote command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Contact Form 7 <= 1.7.36
No auth needed
Prerequisites: Target URL with vulnerable Contact Form 7 plugin · Network access to the target
devstral-2 · analyzed Apr 19, 2026 Full analysis →
nomisec WORKING POC
by bootstrapbool · poc
https://github.com/bootstrapbool/cve-2026-4257

This repository contains a functional Python exploit for CVE-2026-4257, a Server-Side Template Injection (SSTI) vulnerability in the 'Contact Form' WordPress plugin by Supsystic. The exploit leverages the `generateHtml()` function in the `formsViewCfs` class to achieve Remote Code Execution (RCE) via crafted Twig template payloads.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Contact Form by Supsystic (WordPress plugin) <= 1.7.36
No auth needed
Prerequisites: Target must have the vulnerable plugin installed and accessible · Contact form page must be reachable
devstral-2 · analyzed Apr 09, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Azril Fathoni · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_plugin_supsystic_contact_form_rce.rb

This Metasploit module exploits a Server-Side Template Injection (SSTI) vulnerability in the Supsystic Contact Form WordPress plugin (versions 1.7.36 and earlier) to achieve Remote Code Execution (RCE). It automates the detection of vulnerable fields and delivers a crafted payload via the 'cfsPreFill' parameter.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Supsystic Contact Form WordPress Plugin <= 1.7.36
No auth needed
Prerequisites: WordPress site with vulnerable Supsystic Contact Form plugin · Accessible contact form page
devstral-2 · analyzed May 26, 2026 Full analysis →

Nuclei Templates (1)

WordPress Contact Form by Supsystic - Server-Side Template Injection
CRITICALVERIFIEDby theamanrawat
Shodan: http.component:"WordPress"

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.8693
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-94
Status published
Products (1)
supsysticcom/Contact Form by Supsystic < 1.7.36
Published Mar 30, 2026
Tracked Since Mar 31, 2026