A stored cross-site scripting (XSS) vulnerability exists in the WPForms Contact Form (aka wpforms-lite) plugin prior to 1.5.9 for WordPress.
wpforms contact form