The Contact List plugin for WordPress is vulnerable to a type of attack called Reflected Cross-Site Scripting. This means that a malicious user could inject code into the plugin that could be used to take control of a website or access confidential information. This vulnerability existed in versions of the plugin up to 2.9.41 and was caused by the plugin not properly validating and escaping user input. This allowed attackers to trick a user into clicking a link or performing an action that would execute the injected code.