While it is not a vulnerability of WordPress, or its plugins, because there must be so many users of our products who are at risk of these vulnerabilities, and the damage from it could be huge, I think I should write an article here to alert you of the issue.
A mail-tag has a corresponding form-tag; when an email is composed, a mail-tag in the email template is replaced with the user input value that comes through the input field represented by the corresponding form-tag.
From my long experience in helping Contact Form 7 users on the support forum I can say that the most common reason behind troubles is interference from other plugins, or with the theme which the user uses.
Receiving multiple emails with the same content from the same sender in a short period of time — I often receive support requests like this.
Although some suppose these are caused by a bug or made by spam bots, in most cases they are created by real humans. It is real well meaning people who are making multiple submissions through contact forms on their sites.
They ask me if they can make Contact Form 7 prevent such multiple submissions. Actually this is not difficult at all. You have some options to do so, such as disabling the Submit button after the first submission.
You might think that such functions should be activated by default if it is not difficult. In reality such functions are intentionally not implemented in this plugin — because it obviously leads to a terrible outcome.
Contact Form 7 5.1.5 is now available. This is a maintenance release that includes some improvements. Version 5.1.5 is the first to have been tested with WordPress 5.3.
Flamingo 2.1 is now available. You no longer have to move spam messages to Trash manually since Flamingo does the task for you. Also, a new contributor has joined the Flamingo development team.
Contact Form 7 protects your forms from spammers with several different spam protection modules such as Akismet, reCAPTCHA, and disallowed list. These modules help a lot, but how can you know which module has blocked a submitted message and why the module has blocked it?