Been through this exact scenario with Gravity Forms a few months back at my company. The trickiest part is that compromised versions often phone home to command and control servers, so check your network traffic logs if you have access.
Run this quick MySQL query to spot suspicious admin accounts that might’ve been created: SELECT * FROM wp_users WHERE user_registered > 'YYYY-MM-DD' (replace the date with when you last updated).
Also dig into your wp-config.php and .htaccess files. I’ve seen backdoors hide there as innocent looking code comments. The malicious code usually sits dormant for weeks before activating, so don’t assume you’re safe just because nothing seems broken right now.
One thing that helped us was checking file modification timestamps in the plugin directory. If you see files modified after the official plugin release date, that’s a red flag.
Most importantly, if you find anything suspicious, don’t just delete the plugin. Document what you find first - knowing the attack vector helps prevent it from happening again.