The contact-form-to-email plugin prior to 1.2.66 for WordPress has XSS.
codepeople contact form email