The contact-form-plugin plugin prior to 4.0.6 for WordPress has multiple XSS issues.
bestwebsoft contact form