Cross-site scripting would be where someone can put client-side Javascript into a request for a web page in violation of the same-origin policy that generally governs script access. Another less common possibility (but also works in the same sort of manner) could be a cross-site request forgery.

These types of vulnerabilities are why I strongly encourage people to use widely-used CMSes, especially those that have enterprise or .gov live deployments. Sure, you get a lot of extra overhead... but you also get a large community that audits these sorts of things. Plus, if you ever have to deal with anything that has compliance issues (PCI, HIPAA, FISMA, etc), most of the burden comes off of you.

I know of a great story about migrating a website away from a stonewalling developer for a client via a contact form on a custom CMS...