Easy Contact 0.1.2 WordPress Plugin Cross Site Scripting

`Hello list!  
  
I want to warn you about Insufficient Anti-automation, Abuse of  
Functionality and Cross-Site Scripting vulnerabilities in plugin Easy  
Contact for WordPress.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are Easy Contact 0.1.2 and previous versions.  
  
----------  
Details:  
----------  
  
Insufficient Anti-automation (WASC-21):  
  
Lack of captcha at contact page allows to send automated messages  
(particularly spam) to admin of the site. Captcha is turned off by default  
and the type of text captcha Challenge Question is not reliable, because  
the value is fixed.  
  
Abuse of Functionality (WASC-42):  
  
At contact page it's possible to send spam via function Carbon Copy (Email  
yourself a copy). Which is turned on by default and leads to that it's  
possible to send spam via the site as to admin, as to arbitrary emails.  
  
And with using of Insufficient Anti-automation vulnerability it's possible  
to send automatically spam from the site on a large scale.  
  
Exploit:  
  
http://websecurity.com.ua/uploads/2011/Easy%20Contact%20Abuse%20of%20Functionality.html  
  
XSS (WASC-08):  
  
Exploits:  
  
http://websecurity.com.ua/uploads/2011/Easy%20Contact%20XSS.html  
  
http://websecurity.com.ua/uploads/2011/Easy%20Contact%20XSS-2.html  
  
http://websecurity.com.ua/uploads/2011/Easy%20Contact%20XSS-3.html  
  
http://websecurity.com.ua/uploads/2011/Easy%20Contact%20XSS-4.html  
  
------------  
Timeline:  
------------  
  
2011.04.01 - announced at my site.  
2011.04.03 - informed developers.  
2011.05.20 - disclosed at my site.  
  
I mentioned about these vulnerabilities at my site  
(http://websecurity.com.ua/5055/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua  
  
`