CVE-2026-4257
Published: 30 March 2026
Summary
CVE-2026-4257 is a critical-severity Code Injection (CWE-94) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation of flaws in vulnerable WordPress plugins like Contact Form by Supsystic directly patches the SSTI-to-RCE vulnerability.
Validating and sanitizing unauthenticated GET parameters used in cfsPreFill functionality prevents injection of arbitrary Twig expressions leading to RCE.
Boundary protection mechanisms like web application firewalls monitor and block crafted GET requests containing malicious Twig payloads targeting the plugin.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSTI vulnerability in public-facing WordPress plugin enables unauthenticated RCE via template injection, directly mapping to Exploit Public-Facing Application (T1190) and Template Injection (T1221).
NVD Description
The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in all versions up to, and including, 1.7.36. This is due to the plugin using the Twig `Twig_Loader_String` template…
more
engine without sandboxing, combined with the `cfsPreFill` prefill functionality that allows unauthenticated users to inject arbitrary Twig expressions into form field values via GET parameters. This makes it possible for unauthenticated attackers to execute arbitrary PHP functions and OS commands on the server by leveraging Twig's `registerUndefinedFilterCallback()` method to register arbitrary PHP callbacks.
Deeper analysisAI
CVE-2026-4257 is a critical Server-Side Template Injection (SSTI) vulnerability in the Contact Form by Supsystic plugin for WordPress, affecting all versions up to and including 1.7.36. The issue arises from the plugin's use of the Twig `Twig_Loader_String` template engine without sandboxing, combined with the `cfsPreFill` prefill functionality. This allows unauthenticated users to inject arbitrary Twig expressions into form field values via GET parameters, enabling Remote Code Execution (RCE). The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-94 (Code Injection).
Unauthenticated attackers can exploit the vulnerability remotely by sending crafted GET requests containing malicious Twig expressions. By leveraging Twig's `registerUndefinedFilterCallback()` method, attackers can register arbitrary PHP callbacks, leading to the execution of arbitrary PHP functions and operating system commands on the server. No privileges, user interaction, or special conditions are required, making it highly exploitable over the network.
WordPress plugin advisories reference the vulnerable code in forms.php at line 323 of version 1.7.36 and provide a patch via changeset 3491826. The Wordfence threat intelligence page offers further details on the vulnerability (ID: 415c9658-bfb2-453b-a697-c63c08b0ca61). Security practitioners should update the plugin to a version beyond 1.7.36 to mitigate the risk.
Details
- CWE(s)