CVE-2026-4257

Name of the Vulnerable Software and Affected Versions Contact Form by Supsystic plugin for WordPress versions up to and including 1.7.36

Description The Contact Form by Supsystic plugin for WordPress is susceptible to Server-Side Template Injection (SSTI), which can lead to Remote Code Execution (RCE). This occurs because the plugin utilizes the Twig Twig Loader String template engine without proper sandboxing. The cfsPreFill functionality allows unauthenticated users to inject arbitrary Twig expressions into form field values through GET parameters. Attackers can exploit the registerUndefinedFilterCallback() method within Twig to register arbitrary PHP callbacks, ultimately enabling the execution of PHP functions and operating system commands on the server.

Recommendations Update the Contact Form by Supsystic plugin to a version newer than 1.7.36.