The cf7-invisible-recaptcha plugin prior to 1.3.2 for WordPress has XSS.
vsourz cf7 invisible recaptcha