cbcvebase.
CVE-2026-4257
published 2026-03-30

CVE-2026-4257: The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in all…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
41.48%
98.5th percentile
The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in all versions up to, and including, 1.7.36. This is due to the plugin using the Twig `Twig_Loader_String` template engine without sandboxing, combined with the `cfsPreFill` prefill functionality that allows unauthenticated users to inject arbitrary Twig expressions into form field values via GET parameters. This makes it possible for unauthenticated attackers to execute arbitrary PHP functions and OS commands on the server by leveraging Twig's `registerUndefinedFilterCallback()` method to register arbitrary PHP callbacks.

Affected

1 ranges
VendorProductVersion rangeFixed in
supsysticcomcontact_form_by_supsystic<= 1.7.36

Detection & IOCsextracted from sources · hover to see the quote

pathmulti/http/wp_plugin_supsystic_contact_form_rce
url/?cfsPreFill=1&first_name={{payload}}
command{%set e%}exec{%endset%}{{_self.env.registerUndefinedFilterCallback(e|lower)}}{{_self.env.getFilter(p)}}
othercfsPreFill=1
othervalue="{{result}}"
path/modules/forms/views/forms.php#L323
yara
contact-form-by-supsystic
  • Detect SSTI exploitation attempts via the cfsPreFill GET parameter containing Twig template expressions (e.g., {{...}} or {%...%}) in HTTP requests to WordPress pages hosting the Contact Form by Supsystic plugin.
  • Alert on HTTP GET requests containing both 'cfsPreFill=1' and Twig syntax patterns (registerUndefinedFilterCallback, _self.env, {%set) in query string parameters.
  • The exploit uses base64-encoded payloads decoded via Twig's convert_encoding filter to evade detection; look for 'convert_encoding' alongside 'cfsPreFill' in GET parameters.
  • Nuclei template detection: match HTTP 200 responses containing both 'contact-form-by-supsystic' and a numeric multiplication result in a value attribute, triggered by a GET request with cfsPreFill=1 and a Twig math expression in the first_name field.
  • The vulnerable code path is in forms.php at line 323 of the plugin; file integrity monitoring on this file can indicate tampering or exploitation.
  • The Metasploit module path multi/http/wp_plugin_supsystic_contact_form_rce can be used to identify exploitation attempts originating from automated frameworks; correlate with IDS signatures for this module's request patterns.
  • Shodan query 'http.component:"WordPress"' is used by the Nuclei template to identify targets; monitor for mass scanning of WordPress sites probing for cfsPreFill parameter.
  • ·The SSTI is triggered specifically through the cfsPreFill prefill functionality; sites that do not expose pages with the Contact Form widget are not directly reachable via this vector.
  • ·The Nuclei template probes up to 7 requests and iterates over discovered page paths plus default page_id values (2–6) to find a page hosting the vulnerable form.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.