Critical severity9.8NVD Advisory· Published Mar 30, 2026· Updated Apr 24, 2026

CVE-2026-4257

Description

The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in all versions up to, and including, 1.7.36. This is due to the plugin using the Twig Twig_Loader_String template engine without sandboxing, combined with the cfsPreFill prefill functionality that allows unauthenticated users to inject arbitrary Twig expressions into form field values via GET parameters. This makes it possible for unauthenticated attackers to execute arbitrary PHP functions and OS commands on the server by leveraging Twig's registerUndefinedFilterCallback() method to register arbitrary PHP callbacks.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/contact-form-by-supsystic/tags/1.7.36/modules/forms/views/forms.phpnvd
plugins.trac.wordpress.org/changeset/3491826/contact-form-by-supsysticnvd
www.wordfence.com/threat-intel/vulnerabilities/id/415c9658-bfb2-453b-a697-c63c08b0ca61nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.035
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000