The contact-form-multi plugin prior to 1.2.1 for WordPress has multiple XSS issues.
bestwebsoft contact form multi