CVE-2025-52753 is a reflected Cross-site Scripting vulnerability in the Contact Form by Supsystic WordPress plugin (versions up to 1.7.36). The vulnerability is due to improper neutralization of input during web page generation, which can allow an attacker to inject and execute arbitrary scripts in the context of users interacting with the vulnerable contact form. This can lead to partial compromise of confidentiality, integrity, and availability of affected systems or user sessions. The CVSS 3.1 base score is 7.1, with attack vector network, low attack complexity, no privileges required, user interaction required, scope changed, and impacts on confidentiality, integrity, and availability all low to low-medium. There is no vendor advisory or patch information currently available, and no known exploits have been reported.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of users visiting a website using the vulnerable Contact Form by Supsystic plugin. This can lead to theft of user credentials, session hijacking, or other malicious actions impacting confidentiality, integrity, and availability. The CVSS score of 7.1 reflects a high severity with network attack vector and no privileges required, but user interaction is necessary. No known exploits in the wild have been reported, so the immediate risk may be limited until exploitation techniques emerge.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is available at this time, users of the Contact Form by Supsystic plugin should monitor for updates from the vendor and apply any released patches promptly. Until a fix is available, consider disabling or replacing the vulnerable plugin to mitigate risk. Avoid relying on generic mitigations as they may not fully prevent exploitation of this reflected XSS vulnerability.