Cyber Posture

CVE-2026-4257

Critical

Published: 30 March 2026

Published
30 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2574 96.3th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Description

The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in all versions up to, and including, 1.7.36. This is due to the plugin using the Twig `Twig_Loader_String` template…

more

engine without sandboxing, combined with the `cfsPreFill` prefill functionality that allows unauthenticated users to inject arbitrary Twig expressions into form field values via GET parameters. This makes it possible for unauthenticated attackers to execute arbitrary PHP functions and OS commands on the server by leveraging Twig's `registerUndefinedFilterCallback()` method to register arbitrary PHP callbacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely remediation of flaws in vulnerable WordPress plugins like Contact Form by Supsystic directly patches the SSTI-to-RCE vulnerability.

SI-10 Information Input Validation good match
prevent

Validating and sanitizing unauthenticated GET parameters used in cfsPreFill functionality prevents injection of arbitrary Twig expressions leading to RCE.

SC-7 Boundary Protection partial match
preventdetect

Boundary protection mechanisms like web application firewalls monitor and block crafted GET requests containing malicious Twig payloads targeting the plugin.

Security SummaryAI

CVE-2026-4257 is a critical Server-Side Template Injection (SSTI) vulnerability in the Contact Form by Supsystic plugin for WordPress, affecting all versions up to and including 1.7.36. The issue arises from the plugin's use of the Twig `Twig_Loader_String` template engine without sandboxing, combined with the `cfsPreFill` prefill functionality. This allows unauthenticated users to inject arbitrary Twig expressions into form field values via GET parameters, enabling Remote Code Execution (RCE). The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-94 (Code Injection).

Unauthenticated attackers can exploit the vulnerability remotely by sending crafted GET requests containing malicious Twig expressions. By leveraging Twig's `registerUndefinedFilterCallback()` method, attackers can register arbitrary PHP callbacks, leading to the execution of arbitrary PHP functions and operating system commands on the server. No privileges, user interaction, or special conditions are required, making it highly exploitable over the network.

WordPress plugin advisories reference the vulnerable code in forms.php at line 323 of version 1.7.36 and provide a patch via changeset 3491826. The Wordfence threat intelligence page offers further details on the vulnerability (ID: 415c9658-bfb2-453b-a697-c63c08b0ca61). Security practitioners should update the plugin to a version beyond 1.7.36 to mitigate the risk.

Details

CWE(s)
CWE-94

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1221 Template Injection Stealth
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.
attack.mitre.org →
Why these techniques?

SSTI vulnerability in public-facing WordPress plugin enables unauthenticated RCE via template injection, directly mapping to Exploit Public-Facing Application (T1190) and Template Injection (T1221).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References