Hi. I recently added the contact form plug in (latest version) to all pages of my site. I UN-checked the allow comments option on all pages.
A few days later I then received an email from someone who was probably a spammer from some SEO company and who had filled out the form on one of the pages
The email or the post that created it did not appear anywhere on the WP admin panel, nor could I find any way to remove it.
I was not too worried however, until I googled some of the text in the email and found links from google to my site!!
IMHO this is a serious vulnerability as the post / email cannot be moderated or deleted and although it does not appear on the site it can be found on google and is a great way for spammers to get links as well as post malicious comments about the site. Surely the content of a "Contact Us" form should be completely confidential!
I have since had a couple more emails from probable spammers and have had to remove the contact form until this issue is resolved.