linux

How is the left mail sent from the site?

A tiny, useless WordPress site. Stock WP. No additional plugins. Updated regularly. Visitors - zero point five tenths with a penny.
WPMail SMTP plugin configured (WPForms developer). Sending mail is configured via smpt with ssl authorization on gmail.
During the week, 3 letters were sent to the admin mail of the site, sent from this site (server) from the above mailbox (WPMail SMTP). Two letters in English, one in Russian, the content is spam.
The site from the world is only available on ports 80 and 443.
Naturally, the password has already been changed in the mail without updating it in the WP plugin.
What are the options? WP hacked? WPMailSMTP plugin collects info and sends it to someone? Hacked WP plugin?
I searched the site directory for entries by mailbox name. Nowhere. Accordingly, both the login and password are stored in the database, and even more so there is no access to it from the outside.