The Contact Form by Supsystic WordPress plugin suffers from a severe Server-Side Template Injection (SSTI) vulnerability identified as CVE-2026-4257. This vulnerability exists in all versions up to and including 1.7.36 due to the plugin's use of the Twig template engine's Twig_Loader_String loader without sandboxing. The plugin's cfsPreFill functionality accepts GET parameters to prefill form fields, but it fails to sanitize or restrict these inputs, allowing unauthenticated attackers to inject arbitrary Twig expressions. By exploiting Twig's registerUndefinedFilterCallback() method, attackers can register arbitrary PHP callbacks, enabling execution of arbitrary PHP code and operating system commands on the server hosting the WordPress site. This results in remote code execution (RCE) with no authentication or user interaction required. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code) and has a CVSS v3.1 base score of 9.8, indicating critical severity. Despite the high severity, no patches or official fixes have been released at the time of publication, and no active exploits have been reported. The vulnerability poses a significant risk to WordPress sites using this plugin, potentially allowing full server compromise, data exfiltration, or pivoting within the network.

This vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected WordPress servers, leading to complete compromise of the web server and potentially the underlying network. The impact includes unauthorized access to sensitive data, modification or deletion of website content, deployment of malware or ransomware, and use of the compromised server as a launchpad for further attacks. Given the widespread use of WordPress and the popularity of contact form plugins, many organizations worldwide could be affected. The ease of exploitation without authentication or user interaction significantly increases the risk of automated attacks and mass exploitation campaigns. The vulnerability threatens confidentiality, integrity, and availability of affected systems, potentially causing severe operational disruption and reputational damage.

Until an official patch is released, organizations should immediately disable or uninstall the Contact Form by Supsystic plugin to eliminate the attack vector. If disabling the plugin is not feasible, restrict access to the vulnerable endpoints by implementing IP whitelisting or authentication controls at the web server or application firewall level. Deploy Web Application Firewall (WAF) rules specifically designed to detect and block malicious Twig template expressions and suspicious GET parameter payloads. Monitor web server logs and intrusion detection systems for unusual activity indicative of SSTI exploitation attempts. Regularly update all WordPress plugins and core installations to the latest versions once patches become available. Consider isolating WordPress instances in segmented network zones to limit lateral movement in case of compromise. Conduct thorough security assessments and incident response readiness to quickly detect and respond to exploitation attempts.