CVE-2024-13452 MEDIUM

CVE-2024-13452: Contact Form by Supsystic <= 1.7.29 - Cross-Site Request Forgery to Stored Cross-Site Scripting via saveAsCopy AJAX Action

Vendor Supsysticcom
Product Contact Form by Supsystic
Weakness CWE-79 · XSS
Published April 16, 2025
Last update April 8, 2026

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.29. This is due to missing or incorrect nonce validation on a saveAsCopy function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Explanation of Vulnerability in Simple Terms

02Summary

Contact Form by Supsystic versions 1.7.29 and earlier contain a cross-site scripting (XSS) vulnerability. An attacker can inject malicious scripts that execute in visitors' browsers when they view a form. The vulnerability requires user interaction—a victim must visit a page containing the malicious payload. The impact is limited to session hijacking or credential theft from form users, not site-wide compromise.

What an attacker can do

03Attacker Capabilities

Inject JavaScript that runs in visitors' browsers when they view a contact form.

Potential impact on your site

04Site Impact

Form visitors' sessions or credentials could be stolen; your site's reputation may suffer if used for phishing.

Conditions required to exploit

05Prerequisites

No authentication required. Victim must visit a page with the malicious form payload.

Key dates

06Disclosure timeline

April 16, 2025 CVE published
April 8, 2026 Record updated