https://feed.craftedsignal.io/tags/twig/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 30 Mar 2026 22:16:20 +0000https://feed.craftedsignal.io/briefs/2026-03-ssti-wordpress/Mon, 30 Mar 2026 22:16:20 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-ssti-wordpress/The Contact Form by Supsystic WordPress plugin is vulnerable to Server-Side Template Injection (SSTI) via the `cfsPreFill` parameter, leading to unauthenticated Remote Code Execution (RCE).The Contact Form by Supsystic plugin, a popular WordPress plugin, is susceptible to a critical Server-Side Template Injection (SSTI) vulnerability, identified as CVE-2026-4257. This vulnerability affects all versions up to and including 1.7.36. The root cause lies in the plugin’s use of the Twig template engine (Twig_Loader_String) without proper sandboxing. This, combined with the cfsPreFill functionality, allows unauthenticated attackers to inject arbitrary Twig expressions into form…

]]>criticaladvisorysstiwordpressrcetwig