CVE-2024-13452 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the Contact Form by Supsystic plugin for WordPress, affecting all versions up to and including 1.7.29. The root cause is the absence or improper implementation of nonce validation in the saveAsCopy function, which is responsible for saving a copy of form settings. Nonces are security tokens used to verify that requests originate from legitimate users and prevent unauthorized actions. Without proper nonce validation, attackers can craft malicious HTTP requests that, when executed by an authenticated site administrator (via clicking a link or visiting a malicious page), cause unauthorized changes to plugin settings. These changes can include injecting malicious JavaScript code, resulting in Cross-Site Scripting (CWE-79). This XSS can lead to session hijacking, credential theft, or further compromise of the WordPress site. The vulnerability does not require the attacker to be authenticated but does require user interaction (UI:R). The CVSS 3.1 base score is 6.1, reflecting medium severity, with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality and integrity but not availability. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. The scope is limited to sites using the vulnerable plugin, which is popular among WordPress users for creating contact forms.

The vulnerability allows attackers to perform unauthorized changes to the Contact Form by Supsystic plugin settings by exploiting CSRF, potentially injecting malicious scripts into the website. This can lead to Cross-Site Scripting attacks, compromising the confidentiality of user data, including session cookies and credentials, and the integrity of the website content. Attackers can leverage this to escalate privileges, conduct phishing, or distribute malware to site visitors. Although availability is not directly impacted, the reputational damage and potential data breaches can be significant. Organizations relying on this plugin for customer interaction or data collection risk exposure to these attacks, especially if administrators are targeted via social engineering. The medium severity score reflects the need for timely remediation to prevent exploitation. The lack of authentication requirement and ease of exploitation via social engineering increase the risk profile for affected sites globally.

1. Immediately update the Contact Form by Supsystic plugin to a patched version once available from the vendor. 2. Until a patch is released, implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the saveAsCopy function or related plugin endpoints. 3. Educate site administrators to avoid clicking on untrusted links or visiting suspicious websites while logged into WordPress admin panels to reduce risk of social engineering. 4. Enable and enforce multi-factor authentication (MFA) for WordPress administrator accounts to reduce the impact of compromised credentials. 5. Regularly audit plugin settings and website content for unauthorized changes or injected scripts. 6. Consider temporarily disabling or replacing the vulnerable plugin if immediate patching is not feasible. 7. Monitor security advisories from the plugin vendor and WordPress security communities for updates and exploit reports. 8. Harden WordPress installations by limiting administrator access and applying the principle of least privilege.