Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-4257 PoC — WordPress plugin Contact Form by Supsystic 代码注入漏洞

Source
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-4257.yaml
Associated Vulnerability
Title:WordPress plugin Contact Form by Supsystic 代码注入漏洞 (CVE-2026-4257)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin Contact Form by Supsystic 1.7.36及之前版本存在代码注入漏洞,该漏洞源于使用未沙箱化的Twig模板引擎且未经验证的用户可通过GET参数注入任意Twig表达式,可能导致服务器端模板注入和远
Description
Contact Form by Supsystic WordPress plugin <= 1.7.36 contains a server-side template injection caused by unsandboxed Twig_Loader_String and cfsPreFill functionality, letting unauthenticated attackers execute arbitrary code remotely via GET parameters.
File Snapshot

 id: CVE-2026-4257

info:
  name: WordPress Contact Form by Supsystic - Server-Side Template Injectio

...
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.