CVE-2026-4257 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 30, 2026
Contact Form by Supsystic - Remote Code Execution
Overview
Contact Form by Supsystic WordPress plugin <= 1.7.36 contains a server-side template injection caused by unsandboxed Twig_Loader_String and cfsPreFill functionality, letting unauthenticated attackers execute arbitrary code remotely via GET parameters.
Severity & Score
Impact
Unauthenticated attackers can execute arbitrary PHP functions and OS commands remotely, leading to full server compromise.
Mitigation
Update to the latest version beyond 1.7.36.
References
Social Media Activity(2 posts)
š“ CVE-2026-4257 - Critical (9.8) The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in all versions up to, and including, 1.7.36. This is due to the plugin using the Twig `Twig_Loader_St... š https://www.thehackerwire.com/vulnerability/CVE-2026-4257/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-4257 - Critical (9.8) The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in all versions up to, and including, 1.7.36. This is due to the plugin using the Twig `Twig_Loader_St... š https://www.thehackerwire.com/vulnerability/CVE-2026-4257/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-4257
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- template_injection
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-94
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H