CVE-2024-48042: 
WordPress vulnerability analysis and mitigation

The Contact Form by Supsystic WordPress plugin contains an Improper Neutralization of Special Elements Used in a Template Engine vulnerability that allows Command Injection. This vulnerability, identified as CVE-2024-48042, affects versions up to and including 1.7.28 of the plugin. The issue was discovered and reported by security researcher Hakiduck (Patchstack).

The vulnerability is classified as a Remote Code Execution (RCE) vulnerability due to server-side template injection (SSTI) issues in the plugin's functionality. The severity of this vulnerability is rated as Critical with a CVSS v3.1 base score of 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). The vulnerability is tracked under CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine) (Patchstack).

If exploited, this vulnerability could allow authenticated attackers with administrator-level access to execute arbitrary commands on the target server, potentially leading to complete website compromise. The successful exploitation could result in unauthorized access, data breach, and full control of the affected website (WPScan).

The vulnerability has been patched in version 1.7.29 of the Contact Form by Supsystic plugin. Website administrators are strongly advised to update to this version or later to remediate the security risk (WPScan).