The plugin does not sanitise and escape user input given in its forms, which could allow unauthenticated attackers to perform Cross-Site Scripting attacks against admins
As unauthenticated, on a page/post where there is a contact form created via the plugin, put the following payload in the Name, Subject and Message fields: <img src onerror=alert(/XSS/)>
The XSS will be triggered when an admin will view the related entry