CVE-2026-4257 Scanner
CVE-2026-4257 Scanner - Server Side Template Injection (SSTI) vulnerability in WordPress Contact Form by Supsystic
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
2 weeks 11 hours
Scan only one
URL
Toolbox
WordPress Contact Form by Supsystic is a popular plugin used by website administrators to add contact form functionalities to their WordPress sites. It provides a wide range of customizable features, making it easy for users to create forms for contact, feedback, or other purposes. This plugin is widely adopted, especially by businesses and bloggers who seek a user-friendly way to implement contact forms. However, the plugin can be vulnerable to security issues if not updated regularly. Users rely on it to enhance the communication interface of their website, making security essential. Hence, maintaining updated versions is crucial for website safety.
The server-side template injection vulnerability allows a remote attacker to execute arbitrary code on the server. This issue arises when unsandboxed code is processed, allowing for execution of harmful code through user-supplied input. In the case of WordPress Contact Form by Supsystic, this vulnerability affects versions <= 1.7.36. Unauthenticated attackers can exploit this feature via specific GET parameters. Such vulnerabilities can compromise the integrity and security of a server, leading to unauthorized access.
Technical details reveal that this vulnerability involves the use of unsandboxed `Twig_Loader_String` and `cfsPreFill` functionality. The vulnerable parameter is manipulated via GET requests that allow for remote code execution. This exploitation can occur without authentication, increasing the ease with which an attacker can gain control. The GET parameters are manipulated to inject and execute malicious code, posing a significant security risk. The critical nature of this vulnerability requires immediate attention and patching.
If an attacker exploits this vulnerability, it could lead to complete server compromise. The attacker may execute arbitrary PHP functions and operating system commands remotely. Consequently, sensitive data could be exposed, modified, or destroyed. Furthermore, server operations could be disrupted, affecting website availability and integrity. This vulnerability provides a foothold for further attacks, including installing backdoors or malware. Organizations could suffer reputational damage and financial loss from any service disruption or data breach.
REFERENCES
- https://patchstack.com/database/vulnerability/wordpress-contact-form-by-supsystic-plugin-1-7-36-unauthenticated-server-side-template-injection-via-prefill-functionality-vulnerability
- https://plugins.trac.wordpress.org/browser/contact-form-by-supsystic/tags/1.7.36/modules/forms/views/forms.php#L323
- https://plugins.trac.wordpress.org/changeset/3491826/contact-form-by-supsystic
