It seems the latest version is vulnerable to XSS attack.
1: go to http://site.com/contact-us/ (tested on http://bestwebsoft.com/contacts/contact-us/ and it works as well)
2: put xss payload in any form
3: submit it with incomplete form (e.g invalid captcha)
4: payload used xxx"<>/**/onmouseover=confirm(1)<>/**/;//