The cforms plugin has a XSS vulnerability in file lib_ajax.php with rs and rsargs[] parameters. It is fixed in version 13.2. The cforms2 fork was forked at 14.6, so it is not affected.
packetstormsecurity.com/files/95395/
vulners.com/exploitdb/EDB-ID:34946
www.securityfocus.com/bid/44587/