Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total4
Critical1
High0
Medium3
Reset
Showing 1-4 of 4 records
Threat Entry Updated 2026-04-01

CVE-2026-4257 - Contact Form By Supsystic Plugin

The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in all versions up to, and including, 1.7.36. This is due to the plugin using the Twig `Twig_Loader_String` template engine without sandboxing, combined with the `cfsPreFill` prefill functionality that allows unauthenticated users to inject arbitrary Twig expressions into form field values via GET parameters. This makes it possible for unauthenticated attackers to execute arbitrary PHP functions and OS commands on the server by leveraging Twig's `registerUndefinedFilterCallback()` method to register…

PLUGIN Contact Form By Supsystic

CVE-2026-4257

CRITICAL CVSS 9.8 2026-03-30
Open Full Technical Breakdown
Threat Entry Updated 2025-04-16

CVE-2024-13452 - Contact Form By Supsystic Plugin

The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.29. This is due to missing or incorrect nonce validation on a saveAsCopy function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Contact Form By Supsystic

CVE-2024-13452

MEDIUM CVSS 6.1 2025-04-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2528 - Contact Form By Supsystic Plugin

The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.24. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to execute AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Contact Form By Supsystic

CVE-2023-2528

MEDIUM CVSS 5.4 2023-05-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24276 - Contact Form By Supsystic Plugin

The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue

PLUGIN Contact Form By Supsystic

CVE-2021-24276

MEDIUM CVSS 6.1 2021-05-05
Open Full Technical Breakdown
Scroll to top