I just discovered this security issue today, 10 days after aenea’s note. No alerts from Wordfence that I have, in production, 2 plugins that are known-to-be-compromised and were removed from the WP repository: “Fast Secure Contact Form” & “SI Captcha Anti-Spam”
I’m a premium subscriber, and the Wordfence team has always impressed me. So wanted to alert that this functionality is not working as intended/described above, and give the opportunity to troubleshoot further. I have to believe that “just a matter of time” is not a typical WF design spec.
More info here: https://www.fastsecurecontactform.com … similar situation as the recent investigative expose that was posted on the WF blog (great job!).
