WebForms by VladimirPopov is very popular free module that allow you to create a custom contact forms and embed them on your Magento site easily. Recently a security issue is discovered in module that allow attacker to inject a script that will allow him to upload any file to server through URL and browser. Updating module to latest version is highly recommended however if your site is already hacked that will not resolve a issue. To make things worst some Magento administrators reported that hack can send a email with server data to specified email address, extending vulnerability of hacked Magento.
After updating module to latest version I strongly suggest complete scan of your file system using MageFence tool that will run through server and search for suspicious files and malware code in files. Once scan is completed you can see results and remove injected and infected files, if infected files are located in app/code/core/Mage folder you can use Magento installation package to overwrite those files and upload clean one.
MageFence comes with built in file scanner that will create a starting point on installation and after that any changes in files will be recorded and reported. So you will be able to see and track any changes that are made, this is key feature in early detection of hack attempts. ExtensionsMall update their security module on regular base and all confirmed security issues are included in vulnerability checklist and malware definition base.