Cross-Site Request Forgery in Contact Form Plugin for WordPress by Supsystic
CVE-2023-2528

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Contact Form by Supsystic
Vendor: CVE Published:; 17 May 2023

Summary

The Contact Form by Supsystic plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF) due to inadequate nonce validation in its AJAX action handler. This flaw allows unauthorized attackers to initiate AJAX actions if they can convince an administrator to interact with a malicious link. This vulnerability primarily impacts versions up to 1.7.24 of the plugin, exposing sites to potential unauthorized actions by attackers.

Affected Version(s)

Contact Form by Supsystic * <= 1.7.24

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/contact-form-b...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 17, 2023
Vulnerability Reserved
May 4, 2023

Credit

Marco Wotschka