The CP Contact Form with PayPal WordPress plugin was affected by a Multiple XSS security vulnerability.
Version <= 1.2.97 - /wp-admin/admin.php?page=cp_contact_form_paypal.php&edit=1&cal=1&item=css"><img src=x onerror=alert(/XSS/)>&r=1 (fixed in 1.2.98)