What the vulnerability does
01Description
The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.29. This is due to missing or incorrect nonce validation on a saveAsCopy function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Explanation of Vulnerability in Simple Terms
02Summary
Contact Form by Supsystic versions 1.7.29 and earlier contain a cross-site scripting (XSS) vulnerability. An attacker can inject malicious scripts that execute in visitors' browsers when they view a form. The vulnerability requires user interaction—a victim must visit a page containing the malicious payload. The impact is limited to session hijacking or credential theft from form users, not site-wide compromise.
What an attacker can do
03Attacker Capabilities
Inject JavaScript that runs in visitors' browsers when they view a contact form.
Potential impact on your site
04Site Impact
Form visitors' sessions or credentials could be stolen; your site's reputation may suffer if used for phishing.
Conditions required to exploit
05Prerequisites
No authentication required. Victim must visit a page with the malicious form payload.
Key dates
06Disclosure timeline
April 16, 2025
CVE published
April 8, 2026
Record updated