The booking-calendar-contact-form plugin prior to 1.0.24 for WordPress has XSS.
codepeople booking calendar contact form