The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
On the dashboard navigate to weForms > All Forms > Add Form > Choose Contact Form; Click Create Form > Settings Inject with cross-site scripting (xss) payload: on Message to Show form. Save Form On the post/page containing the form, fill up the contact form and submit it to trigger the payload