The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Proof of Concept
On the dashboard navigate to weForms > All Forms > Add Form > Choose Contact Form;
Click Create Form > Settings
Inject with cross-site scripting (xss) payload: <img src=x onerror=alert(document.cookie);> on Message to Show form.
On the post/page containing the form, fill up the contact form and submit it to trigger the payload