What the vulnerability does
01Description
The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in all versions up to, and including, 1.7.36. This is due to the plugin using the Twig `Twig_Loader_String` template engine without sandboxing, combined with the `cfsPreFill` prefill functionality that allows unauthenticated users to inject arbitrary Twig expressions into form field values via GET parameters. This makes it possible for unauthenticated attackers to execute arbitrary PHP functions and OS commands on the server by leveraging Twig's `registerUndefinedFilterCallback()` method to register arbitrary PHP callbacks.
Explanation of Vulnerability in Simple Terms
02Summary
Contact Form by Supsystic versions 1.7.36 and earlier contain a code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code on the site without user interaction. The vulnerability stems from improper input validation in form processing. An attacker can exploit this remotely over the network to gain full control of the affected WordPress installation.
What an attacker can do
03Attacker Capabilities
Run arbitrary PHP code on the site and take complete control of it.
Potential impact on your site
04Site Impact
Complete site compromise. Attackers can steal data, modify content, install malware, or deface the site.
Conditions required to exploit
05Prerequisites
None. The attacker needs only network access; no authentication or user interaction required.
Key dates
06Disclosure timeline
March 30, 2026
CVE published
April 8, 2026
Record updated