Posted by Shane
According to Jeff at the WPTavern, Contact Form 7 got a flaw in the programing to allow hackers and spammers to add content to the site without having the proper access. With that said, I have disabled my contact form at this time until the author can provide a patch/fix. Mark Jaquith, a WordPress developer, reported this flaw.
You can read the forum thread on WordPress.org here.