Contact Form by Supsystic WordPress Plugin SSTI Vulnerability (CVE-2026-4257)
The Contact Form by Supsystic WordPress plugin is vulnerable to Server-Side Template Injection (SSTI) via the `cfsPreFill` parameter, leading to unauthenticated Remote Code Execution (RCE).
The Contact Form by Supsystic plugin, a popular WordPress plugin, is susceptible to a critical Server-Side Template Injection (SSTI) vulnerability, identified as CVE-2026-4257. This vulnerability affects all versions up to and including 1.7.36. The root cause lies in the plugin’s use of the Twig template engine (Twig_Loader_String) without proper sandboxing. This, combined with the cfsPreFill functionality, allows unauthenticated attackers to inject arbitrary Twig expressions into form…
Detection coverage 2
Detect Suspicious Contact Form by Supsystic Requests
highDetects suspicious GET requests to WordPress containing the 'cfsPreFill' parameter, indicative of potential Server-Side Template Injection attempts targeting the Contact Form by Supsystic plugin.
Detect Undefined Filter Callback Registration via Twig
criticalDetects requests attempting to register undefined filter callbacks via Twig, a common technique for exploiting SSTI vulnerabilities.
Detection queries are kept inside the platform. Get full rules →