Contact Form DB <= 2.8.15 is vulnerable to Multiple XSS

Multiple cross-site scripting (XSS) vulnerabilities in the Contact Form DB (aka CFDB and contact-form-7-to-database-extension) plugin before 2.8.20 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) form or (2) enc parameter in the CF7DBPluginShortCodeBuilder page to wp-admin/admin.php. A partial patch was released in version 2.8.16 but the problem was not fully resolved until 2.8.20.