Forms in specific grant several attack vectors.
1) sql injection attack
Unvalidated data can contain sql code, which can modify data, drop data or read data (depending on the application) within your whole databse.
2) cross site request forgery (XSRF)
If you do not make sure, that the data, you receive actually comes from your site (ie with a session persisted token), other sites can copy your webpage and act as a proxy for all requests.
The reason for doing this is, that they can then make copies of the transmitted data. This can be used for fishing for example.
3) cross site script injection
Even if the data itself does no harm to your database and comes from your website, the input can contain javascript, which will be executed every time the content is displayed in your site. (typically can be tested with alert(1) or similar).
This can be prevented by stripping javascript away.