The Contact Form by Supsystic plugin fails to properly neutralize user‑supplied input before rendering it, allowing an attacker to inject malicious JavaScript that executes in the victim’s browser when a reflected input is displayed. This reflected XSS flaw, classified as CWE‑79, could enable attackers to steal session cookies, modify page content, or redirect users to malicious sites, compromising confidentiality and integrity of user data but not directly causing denial of service or full system compromise.

WordPress sites that have installed the Contact Form by Supsystic plugin version 1.7.36 or earlier are affected. Any such deployment of the plugin on a publicly accessible WordPress site can leverage the vulnerable form endpoint, granting the flaw to any user who can access the form or the vulnerable URL.

The CVSS score of 7.1 indicates a medium‑to‑high severity. The EPSS score of <1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA KEV. Attackers can exploit it through a browser‑based vector, typically by crafting a malicious link or form that includes injected code; when an end user visits the link or submits the form, the script runs in their context. Because reflected XSS can be triggered by a simply crafted payload, the risk remains real for sites that expose the vulnerable form to external traffic.