CVE-2026-4257 is a server-side template injection (SSTI) vulnerability in the Contact Form by Supsystic WordPress plugin affecting all versions up to and including 1.7.36. The issue arises because the plugin uses Twig's Twig_Loader_String to process template content without sandboxing, while also exposing attacker-controlled input through the cfsPreFill prefill functionality. An unauthenticated attacker can supply crafted GET parameters that inject arbitrary Twig expressions into form field values. Because the Twig environment is not sandboxed, the injected template code can abuse registerUndefinedFilterCallback() to register arbitrary PHP callbacks, enabling execution of arbitrary PHP functions and ultimately OS commands on the underlying server.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, the vulnerability has high impact on confidentiality, integrity, and availability.If you can’t patch tonight, do this now.
cfsPreFill functionality and block untrusted GET parameters from reaching the vulnerable rendering path. Add WAF or reverse-proxy rules to detect and block suspicious Twig expression syntax in request parameters. Restrict outbound connectivity and harden the PHP/WordPress runtime to reduce post-exploitation impact, but these measures do not eliminate the underlying vulnerability. Because exploitation is unauthenticated and can yield code execution, temporary removal of the plugin is the safest mitigation.Patch, then assume compromise.
cfsPreFill, and prevents untrusted input from being rendered through Twig without strict sandboxing. If an official fixed release is available, apply it immediately. Review the referenced code path in modules/forms/views/forms.php and the associated WordPress plugin repository changeset for the vendor's patch details. After patching, inspect the server and WordPress instance for signs of compromise because this flaw permits arbitrary code execution.4 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
Single-file Python exploit/scanner targeting CVE-2026-4257 in the WordPress 'Contact Form by Supsystic' plugin. The repository contains one entry point, CVE-2026-4257.py, which uses requests, argparse, regex parsing, urllib path joining, and ThreadPoolExecutor for concurrent scanning. The script is structured into banner output, detection helpers, exploit helpers, mass-scan logic, and a CLI main routine. Detection logic fingerprints the plugin by requesting /wp-content/plugins/contact-form-by-supsystic/readme.txt, the plugin directory, and a CSS asset, and by checking page HTML for Supsystic-related indicators such as 'supsystic', 'contact-form-by-supsystic', 'cfsForm', 'cfs-form', and 'cfs_form'. Version parsing marks versions up to 1.7.36 as vulnerable. The visible exploit helper detect_form_fields() attempts to extract form field names from page HTML, indicating the exploit phase is based on crafting form submissions to the vulnerable plugin. The script supports single-target detection/exploitation and threaded bulk detection from a target list, then writes vulnerable and patched results to local text files. Based on the available code, this is a real operational web exploit/scanner rather than a pure detector, though the provided excerpt is truncated and the exact final malicious submission parameters are not fully visible.
This repository contains a single Python proof-of-concept exploit, cve-2026-4257.py, targeting CVE-2026-4257 in the WordPress plugin Contact Form by Supsystic <= 1.7.36. The script is a standalone web exploit using the requests library and argparse for CLI input. Its workflow has two stages: check_ssti() sends a GET request with cfsPreFill=1 and a user-chosen form field containing {{7*7}} to confirm server-side template evaluation by looking for 49 in the response; trigger_rce() then sends a second GET request with a Twig payload that abuses registerUndefinedFilterCallback and getFilter to invoke PHP system(), passing the function name via last_name and the OS command via email. The exploit is unauthenticated, assumes the vulnerable form page is reachable directly, and requires the operator to know a valid field name such as first_name. It attempts to parse command output from the returned HTML using a regex against an input field value. There are no additional modules, persistence features, or post-exploitation tooling; the repository is a compact operational PoC focused solely on SSTI confirmation and command execution over HTTP.
Repository contains a small exploit package with 5 files: one Python exploit, one Nuclei YAML template, README, license, and gitignore. The main offensive capability is in CVE-2026-4257.py, a Python-based unauthenticated web exploit targeting a WordPress plugin SSTI flaw that the repository describes as Contact Form by Supsystic <= 1.7.36. The script uses requests/urllib3, disables SSL verification by default, fetches the target page, extracts a plugin version marker using the string 'suptablesui.min.css?ver=', checks whether the version is vulnerable, detects form fields, and supports command execution through a crafted SSTI payload. It also exposes an interactive shell interface with commands such as direct shell execution, field selection, target info display, and field detection. README examples indicate post-exploitation goals like running id, whoami, ls, and reading /etc/passwd, consistent with remote OS command execution. The included YAML file is a Nuclei template rather than an exploit for command execution; it performs safe verification by requesting the base page, extracting candidate page paths, then probing pages with cfsPreFill=1 and an arithmetic Twig payload in first_name to confirm server-side template evaluation. Because the repository includes a Nuclei template, framework identification is Nuclei, but the repository overall is not limited to detection: it also includes standalone Python exploit code. Overall purpose: identify vulnerable public WordPress form pages and exploit unauthenticated SSTI to achieve remote command execution, with the YAML serving as a scanner/validator and the Python script serving as the operational exploit.
Repository contains a standalone Python exploit (exploit.py), a Metasploit module implementation (msf-exploit.rb), and documentation (README.md, msf-exploit.md) for CVE-2026-4257. The target is the WordPress plugin "Contact Form" by Supsystic <= 1.7.36, where user-controlled form field values are rendered through a Twig template path in generateHtml(), enabling unauthenticated SSTI-to-RCE. The Python exploit workflow is: fetch target page, optionally fingerprint plugin version by searching for suptablesui.min.css?ver=..., enumerate candidate form fields from data-name attributes, choose a field, then send a GET request to the vulnerable page with cfsPreFill=1 and the chosen field containing a Twig payload. That payload stores UTF-8 and BASE64 markers, embeds a base64-encoded attacker command, decodes it with convert_encoding, registers exec as an undefined filter callback, and invokes it via _self.env.getFilter(p). The script then attempts to extract command output from the reflected field value in the returned HTML. The Metasploit module provides a more operationalized version. It uses HttpClient, supports automatic field discovery, includes a check method for version/field-based detection, and supports both Unix/Linux and Windows command payload targets. Default payloads are reverse shell oriented (cmd/unix/reverse_bash and cmd/windows/powershell_reverse_tcp), making the repository more than a simple detection PoC. Overall, the repo’s purpose is to provide both a direct command-execution PoC and a reusable Metasploit exploit module for unauthenticated web-based RCE against vulnerable Supsystic Contact Form deployments.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Unknown
A remote code execution vulnerability in the Contact Form by Supsystic WordPress plugin caused by unsafe Twig template handling via unauthenticated SSTI in versions up to and including 1.7.36.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.