Joomla! released version 3.9.11 on August 13, 2019, to patch vulnerabilities found within versions 1.6.2 and 3.9.10. This latest security update fixes a vulnerability that allows for mail submission in disabled forms.
Prior to this patch, it was possible for anyone to submit a mail submission to a form even if it was disabled. Com_contact is activated by default in Joomla! installations. This means any user running Joomla! versions 1.6.2-3.9.10 are affected by this vulnerability. With no contacts established or the functionality is disabled, the plugin should not have the ability to send an email, however, with this particular vulnerability it can still send spam emails.