The Builder Contact add-on contains a security loophole that allows hackers to send spam / phishing emails on behalf of websites that use it, according to a announcement the company's.
The issue was first reported by some members of the company support forum and soon after by the WordFence team.
According to the company's announcement, immediate measures have been taken to fix all the security gaps and one has been released information.
If you use Builder Contact in the previous version 1.4.6, you should update to the latest version immediately.
If you have installed the old version of Contact Builder on your server but have not activated it, delete it or replace it with the latest version (do not leave the version containing vulnerabilities on the server, even if you don't have it enabled).
If your subscription has expired and the Builder Contact cannot be updated, contact the company and they will give you the new version for free with a 3 month subscription extension.