CVE-2026-4257 — AI Deep Analysis Summary

🚨 **Essence**: Critical Code Injection in WordPress plugin 'Contact Form by Supsystic'. 💥 **Consequences**: Unauthenticated attackers can inject arbitrary Twig expressions via GET parameters.…

🛡️ **Root Cause**: CWE-94 (Code Injection). 🔍 **Flaw**: The plugin uses an **unsandboxed Twig template engine** (`Twig_Loader_String`).…

📦 **Affected Product**: Contact Form by Supsystic (WordPress Plugin). 📉 **Versions**: Version **1.7.36 and earlier**. 🏢 **Vendor**: Supsystic.

⚔️ **Attacker Capabilities**: Full Remote Code Execution. 📊 **Impact**: High Confidentiality, Integrity, and Availability loss (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 🔓 **Privileges**: No authentication required.…

📉 **Exploitation Threshold**: **LOW**. 🔑 **Auth**: None required (Unauthenticated). 🖱️ **UI**: No user interaction needed. 🌐 **Access**: Network vector (AV:N). Easy to exploit via simple GET requests.

💻 **Public Exploit**: **YES**. 📜 **PoC**: Available via ProjectDiscovery Nuclei templates. 🔗 **Link**: [Nuclei Template](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-4257.yaml).…

🔍 **Self-Check**: Scan for WordPress sites running 'Contact Form by Supsystic' <= v1.7.36. 🛠️ **Tooling**: Use Nuclei with the provided CVE-2026-4257 template. 👀 **Manual**: Look for `cfsPreFill` functionality and unsand…

🩹 **Official Fix**: **YES**. 📅 **Patch Date**: Published 2026-03-30. 🔗 **Reference**: [WordPress Plugin Trac Changeset](https://plugins.trac.wordpress.org/changeset/3491826/contact-form-by-supsystic).…

🚧 **No Patch Workaround**: 1. **Disable** the plugin if not essential. 2. **WAF Rules**: Block GET parameters containing Twig syntax (e.g., `{{`, `}}`, `{%`). 3.…

🔥 **Urgency**: **CRITICAL**. ⚠️ **Priority**: **P1 (Immediate Action)**. 📢 **Reason**: Unauthenticated RCE with public PoC. High CVSS score (9.8+ implied by vector).…