Not necessarily an issue but we have a contact form that includes first name, last name, etc. Our security consultants tested the form and used html code like <a >Jason</a> within the first name text field.
When we received the notification from the contact form, the html code came through as a hyperlink. Our security team sees this as a vulnerability with the plugin since its not cleansing the html code. They see this as someone could submit a link hoping someone would click on it and send them to a malicious website.
