CVE-2026-4257

EPSS 41.48%
Veröffentlicht 30.03.2026 21:26:10
Zuletzt bearbeitet 24.04.2026 18:11:16
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality

The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in all versions up to, and including, 1.7.36. This is due to the plugin using the Twig `Twig_Loader_String` template engine without sandboxing, combined with the `cfsPreFill` prefill functionality that allows unauthenticated users to inject arbitrary Twig expressions into form field values via GET parameters. This makes it possible for unauthenticated attackers to execute arbitrary PHP functions and OS commands on the server by leveraging Twig's `registerUndefinedFilterCallback()` method to register arbitrary PHP callbacks.

Mögliche Gegenmaßnahme

Contact Form by Supsystic: Update to version 1.8.0, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

CNA 1 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellersupsysticcom

≫

Produkt Contact Form by Supsystic

Default Statusunaffected

Version <= 1.7.36

Version 0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Contact Form by Supsystic

Version *-1.7.36

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	41.48%	0.985

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://www.wordfence.com/threat-intel/vulnerabilities/id/415c9658-bfb2-453b-a697-c63c08b0ca61?source=cve

https://plugins.trac.wordpress.org/browser/contact-form-by-supsystic/tags/1.7.36/modules/forms/views/forms.php#L323

https://plugins.trac.wordpress.org/changeset/3491826/contact-form-by-supsystic

https://www.wordfence.com/threat-intel/vulnerabilities/id/415c9658-bfb2-453b-a697-c63c08b0ca61

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-4257

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-4257

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-4257

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-4257