SQL Injection via XSS flaw in Contact Form 7 plugin: attackers can inject SQL queries through GET requests, exploiting vulnerability in `active-tab1` parameter. Protect with escaping & data validation, integrate WAFs like Wordfence.