Attack Vectors

CVE-2025-52753 is a medium-severity (CVSS 6.1) reflected cross-site scripting (XSS) issue affecting the WordPress plugin Contact Form by Supsystic (slug: contact-form-by-supsystic) in versions up to and including 1.7.36.

The attack is typically delivered through a crafted link or request that contains malicious script content. Because this is reflected XSS, the injected content is not stored on your site long-term; instead, it executes when a targeted person loads a specific page or URL.

No login is required for the attacker (unauthenticated), but the attacker generally must convince a user to take an action such as clicking a link (for example via email, social messaging, or a deceptive on-site prompt).

Security Weakness

The weakness is caused by insufficient input sanitization and output escaping in the plugin. In practical terms, this means the plugin may accept untrusted data and then display it back to the browser in a way that allows the browser to interpret it as executable script.

Because the attack runs in the context of your website, it can appear legitimate to the person being targeted—especially if the URL looks like it belongs to your domain and the page design matches your site.

Technical or Business Impacts

While the severity is rated Medium, reflected XSS can create meaningful business risk—particularly for organizations that rely on web forms for lead generation, customer support, and campaign landing pages.

Potential impacts include:

Brand and trust damage: prospects or customers could be redirected, shown deceptive content, or prompted to share sensitive details after clicking a malicious link that appears to be associated with your site.

Account and data exposure risk: depending on the affected page and user context, an attacker may be able to interfere with a user’s session or manipulate what the user sees, which can elevate risk for staff who access WordPress while authenticated.

Compliance and incident response overhead: security events tied to customer-facing forms can trigger internal escalation (Legal/Compliance, IR, communications), distract teams, and increase costs—especially if there is evidence of attempted user deception.

Recommended remediation: Update Contact Form by Supsystic to version 1.8.0 or a newer patched version. Reference: Wordfence vulnerability record. CVE record: CVE-2025-52753.