CVE-2026-4257
published 2026-03-30CVE-2026-4257: The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in all…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
41.48%
98.5th percentile
The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in all versions up to, and including, 1.7.36. This is due to the plugin using the Twig `Twig_Loader_String` template engine without sandboxing, combined with the `cfsPreFill` prefill functionality that allows unauthenticated users to inject arbitrary Twig expressions into form field values via GET parameters. This makes it possible for unauthenticated attackers to execute arbitrary PHP functions and OS commands on the server by leveraging Twig's `registerUndefinedFilterCallback()` method to register arbitrary PHP callbacks.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| supsysticcom | contact_form_by_supsystic | <= 1.7.36 | — |
Detection & IOCsextracted from sources · hover to see the quote
command{%set e%}exec{%endset%}{{_self.env.registerUndefinedFilterCallback(e|lower)}}{{_self.env.getFilter(p)}}↗
yara↗
contact-form-by-supsystic
- →Detect SSTI exploitation attempts via the cfsPreFill GET parameter containing Twig template expressions (e.g., {{...}} or {%...%}) in HTTP requests to WordPress pages hosting the Contact Form by Supsystic plugin. ↗
- →Alert on HTTP GET requests containing both 'cfsPreFill=1' and Twig syntax patterns (registerUndefinedFilterCallback, _self.env, {%set) in query string parameters. ↗
- →The exploit uses base64-encoded payloads decoded via Twig's convert_encoding filter to evade detection; look for 'convert_encoding' alongside 'cfsPreFill' in GET parameters. ↗
- →Nuclei template detection: match HTTP 200 responses containing both 'contact-form-by-supsystic' and a numeric multiplication result in a value attribute, triggered by a GET request with cfsPreFill=1 and a Twig math expression in the first_name field. ↗
- →The vulnerable code path is in forms.php at line 323 of the plugin; file integrity monitoring on this file can indicate tampering or exploitation. ↗
- →The Metasploit module path multi/http/wp_plugin_supsystic_contact_form_rce can be used to identify exploitation attempts originating from automated frameworks; correlate with IDS signatures for this module's request patterns. ↗
- →Shodan query 'http.component:"WordPress"' is used by the Nuclei template to identify targets; monitor for mass scanning of WordPress sites probing for cfsPreFill parameter. ↗
- ·The SSTI is triggered specifically through the cfsPreFill prefill functionality; sites that do not expose pages with the Contact Form widget are not directly reachable via this vector. ↗
- ·The Nuclei template probes up to 7 requests and iterates over discovered page paths plus default page_id values (2–6) to find a page hosting the vulnerable form. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin Supsystic Contact Form 1.7.36 - SSTI
exploitdb·2026-05-14·CVSS 9.8
CVE-2026-4257 [CRITICAL] WordPress Plugin Supsystic Contact Form 1.7.36 - SSTI
WordPress Plugin Supsystic Contact Form 1.7.36 - SSTI
---
# Exploit Title: WordPress Plugin Supsystic Contact Form 1.7.36 - SSTI
# Date: 3/30/2026
# Exploit Author: bootstrapbool
# Vendor Homepage: https://supsystic.com/plugins/contact-form-plugin/
# Software Link: https://wordpress.org/plugins/contact-form-by-supsystic/
# Version: str:
try:
res = requests.get(url)
res.raise_for_status()
except requests.excpetions.RequestException as e:
status.print(f"Request to {url} failed with {res.status_code}")
exit(1)
if res.status_code != 200:
status.print(f"Got {res.status_code} for request to: {url}", "WARNING")
return res.text
def get_version(body: str) -> str | None:
pattern = r'suptablesui.min.css\?ver=([0-9\.]+)'
match = re.search(pattern, body)
if match:
return match.group(1)
def is_
Nuclei
WordPress Contact Form by Supsystic - Server-Side Template Injection
nuclei·CVSS 9.8
CVE-2026-4257 [CRITICAL] WordPress Contact Form by Supsystic - Server-Side Template Injection
WordPress Contact Form by Supsystic - Server-Side Template Injection
Contact Form by Supsystic WordPress plugin <= 1.7.36 contains a server-side template injection caused by unsandboxed Twig_Loader_String and cfsPreFill functionality, letting unauthenticated attackers execute arbitrary code remotely via GET parameters.
Template:
id: CVE-2026-4257
info:
name: WordPress Contact Form by Supsystic - Server-Side Template Injection
author: theamanrawat
severity: critical
description: |
Contact Form by Supsystic WordPress plugin <= 1.7.36 contains a server-side template injection caused by unsandboxed Twig_Loader_String and cfsPreFill functionality, letting unauthenticated attackers execute arbitrary code remotely via GET parameters.
impact: |
Unauthenticated attackers can execute arbitrary P
Metasploit
Supsystic Contact Form Wordpress Plugin SSTI RCE
metasploit
CVE-2026-4257 Supsystic Contact Form Wordpress Plugin SSTI RCE
Supsystic Contact Form Wordpress Plugin SSTI RCE
This module performs SSTI achieving RCE in webpages containing the Contact Form Wordpress plugin by Supsystic in versions 1.7.36 and before.
Rapid7
Metasploit Wrap Up 05/29/2026
blogs_rapid7·2026-05-29·CVSS 9.8
CVE-2026-43284 [CRITICAL] Metasploit Wrap Up 05/29/2026
## More Linux LPEs
Hark the age of the Linux LPE has arrived. This week’s release follows up on recent work bringing new Linux LPEs to Metasploit users. Copy Fail seemed to have kicked off a trend of similar bugs and hot on its heels is Dirty Frag. Dirty Frag is actually two vulnerabilities in a trenchcoat, individually identified as CVE-2026-43284 and CVE-2026-43500. Each is exploitable individually and comes with a new Metasploit module.
## New module content (5)
## Citrix ADC (NetScaler) CVE-2026-3055 Scanner
Authors: sfewer-r7 and watchTowr
Type: Auxiliary
Pull request: #21204 contributed by sfewer-r7
Path: scanner/http/citrix_netscaler_cve_2026_3055
AttackerKB reference: CVE-2026-3055
Description: Adds auxiliary module targeting CVE-2026-3055, an info leak in Citrix NetScaler
Wiz
CVE-2026-4257 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4257 [CRITICAL] CVE-2026-4257 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4257 :
WordPress vulnerability analysis and mitigation
Twig_Loader_String
cfsPreFill
registerUndefinedFilterCallback()
Source : NVD
## 9.8
Score
Published March 30, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 95.4
Exploitation Probability (EPSS) 19.6
Affected packages and libraries
contact-form-by-supsystic
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
2026-03-30
Published