in <input type="file" name="photo" id="wpfh_message_file">, if Photo was selected. Also, attackers can submit the form with the following entered into <textareastyle="width:100%;height:70px" name="photo-message"></textarea>.
For some basics XSS protection, use <textarea name="message">. Or update the plugin.
Type XSS (Cross Site Scripting) OWASP Top 10 A3: Cross Site Scripting (XSS)