Contact Forms by Cimatti <= 1.4.11 is vulnerable to Stored Cross-Site Scripting (XSS) vulnerability

The Cimatti Contact Forms plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 1.4.11.This is due to insufficient input sanitization and output escaping on the title value of a form and makes it possible for attackers to inject arbitrary web scripts that execute in a victim's browser. This only affects multi-site installations and installations where unfiltered_html is disabled.