Contact Form by Supsystic < 1.7.30 – Cross-Site Request Forgery to Stored Cross-Site Scripting via saveAsCopy AJAX Action | CVE 2024-13452 | Plugin Vulnerabilities

Description

The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.29. This is due to missing or incorrect nonce validation on a saveAsCopy function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

contact-form-by-supsystic

Fixed in 1.7.30

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/b2dbf510-d99f-4918-8462-66696b68003c

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Tim Coen

Verified

No

WPVDB ID

c477aaf1-20e7-4c85-ac20-ea564a020582

Timeline

Publicly Published

2025-04-15 (about 1 year ago)

Added

2025-04-15 (about 1 year ago)

Last Updated

2025-04-16 (about 1 year ago)

Other

Published

Title

Published

2024-10-14

Title

Booking.com Banner Creator <= 1.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2015-02-02

Title

WordPress Calls to Action <= 2.2.7 - Stored XSS

Published

2026-01-08

Title

Famous - Responsive Image And Video Grid Gallery WordPress <= 1.4 - Reflected Cross-Site Scripting

Published

2023-01-24

Title

WP Font Awesome < 1.7.9 - Contributor+ Stored XSS

Published

2024-07-11

Title

Goftino < 1.7 - Authenticated (Subscriber+) Stored Cross-Site Scripting