Thanks to Sucuri for this blog post… this is taken directly from their website to help get the word out!
If you’re a using the Custom Contact Forms WordPress plugin, you need to update it right away.
During a routine audit for our WAF, we found a critical vulnerability that allows an attacker to download and modify your database remotely (no authentication required).
The vulnerability was disclosed to the plugin developer a few weeks ago, they were unresponsive. The developers were unresponsive so we engaged the WordPress Security team. They were able to close the loops with the developer and get a patch released, you might have missed it:
This plugin has more than 600,000 downloads and the vulnerability affects every websites using the plugin’s 126.96.36.199 version and lower. As we said before, it allows an attacker to take control of a victim’s website without requiring any sort of privileges/accounts beforehand.
This vulnerability is categorized as Critical. You need to update the Custom Contact Forms now, to its latest version asap.