A security bug in Contact Form 7 Style, a WordPress plugin installed on over 50,000 sites, could allow for malicious JavaScript injection on a victim website. The vulnerability is a cross-site request forgery (CSRF) to stored. XSS allows an attacker to execute arbitrary JavaScript within the browser of a victim user. There s no patch yet available, and versions 3.1.9 and below are affected. WordPress removed the plugin from the plugin repository on Feb. 1.
Source: https://threatpost.com/unpatched-wordpress-plugin-code-injection/163706/