Cross-Site Request Forgery Vulnerability in Contact Form by Supsystic for WordPress
CVE-2024-13452

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Contact Form By Supsystic
Vendor: CVE Published:; 16 April 2025

Summary

The Contact Form by Supsystic plugin for WordPress suffers from a Cross-Site Request Forgery vulnerability due to insufficient nonce validation in its saveAsCopy function. This flaw allows unauthenticated attackers to perform unauthorized actions, potentially altering settings and injecting malicious scripts if they can deceive a site administrator into executing a malicious link.

Affected Version(s)

Contact Form by Supsystic * <= 1.7.29

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/contact-form-b...

https://plugins.trac.wordpress.org/changeset/3267149/

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 16, 2025
Vulnerability Reserved
Jan 16, 2025

Credit

Tim Coen