CVE-2026-4257
Server-Side Template Injection in Supsystic Contact Form Plugin Enables RCE
Publication date: 2026-03-30
Last updated on: 2026-03-30
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| supsystic | contact_form | to 1.7.36 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote code execution on the server hosting the WordPress site. An attacker can run arbitrary PHP code and OS commands, potentially leading to full server compromise, data theft, data loss, or disruption of services.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability affects all versions of the Contact Form by Supsystic plugin up to and including 1.7.36. Immediate mitigation steps include updating the plugin to a version later than 1.7.36 where the vulnerability is fixed.
If an update is not immediately available, consider disabling or removing the vulnerable plugin to prevent exploitation.
Additionally, restrict access to the affected WordPress site or monitor for unusual GET parameter usage that could indicate exploitation attempts.
Can you explain this vulnerability to me?
The Contact Form by Supsystic plugin for WordPress has a Server-Side Template Injection (SSTI) vulnerability that allows Remote Code Execution (RCE). This occurs because the plugin uses the Twig template engine without sandboxing and includes a prefill feature that lets unauthenticated users inject arbitrary Twig expressions into form fields via GET parameters. Attackers can exploit this to execute arbitrary PHP functions and operating system commands on the server.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated remote code execution on the server, which can lead to unauthorized access, data breaches, and potential manipulation or exposure of sensitive information.
Such security breaches can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, as well as maintaining system integrity and confidentiality.
Failure to address this vulnerability could result in violations of these regulations due to compromised data security and unauthorized system access.