WordPress Contact Form Entries plugin versions before 1.2.4 suffer from an unauthenticated persistent cross site scripting vulnerability.