WP-Safety

Обратный звонок Security & Risk Analysis

wordpress.org/plugins/call-me-spoot

Плагин добавляет на сайт кнопку и форму заказа обратного звонка.

100 active installs v1.4 PHP + WP 4.5.3+ Updated Mar 8, 2019
callback-requestcallback-request-buttoncallback-request-form
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Обратный звонок Safe to Use in 2026?

Generally Safe

Score 85/100

Обратный звонок has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago
Risk Assessment

The 'call-me-spoot' plugin version 1.4 presents a significant security risk due to multiple unauthenticated entry points and poor output escaping practices. The static analysis revealed two AJAX handlers, both of which lack authentication checks. This means any unauthenticated user could potentially trigger these handlers, leading to unintended actions or information disclosure.

While the plugin utilizes prepared statements for SQL queries, which is a strength, the overwhelmingly low percentage of properly escaped output (13%) is a major concern. This indicates a high likelihood of cross-site scripting (XSS) vulnerabilities, where malicious code could be injected into the website's output. The presence of `create_function`, while less critical on its own, can also be a vector for code injection if not handled with extreme care. The absence of any recorded vulnerability history is positive but does not negate the inherent risks identified in the code analysis.

In conclusion, the plugin's security posture is weak. The unauthenticated AJAX handlers and severe output escaping deficiencies create substantial risks. While good practices like prepared statements are present, they are overshadowed by critical vulnerabilities that require immediate attention. The plugin's attack surface is small but poorly secured.

Key Concerns

  • Unprotected AJAX handlers
  • Low output escaping percentage
  • Use of dangerous function create_function
  • Missing nonce checks on AJAX handlers
Vulnerabilities
None known

Обратный звонок Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Обратный звонок Code Analysis

Dangerous Functions
4
Raw SQL Queries
0
0 prepared
Unescaped Output
7
1 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

create_functionadd_filter('wp_mail_charset', create_function('', 'return "utf-8";'));call-me-spoot.php:71
create_functionadd_filter('wp_mail_content_type', create_function('', 'return "text/html";'));call-me-spoot.php:72
create_functionremove_filter('wp_mail_charset', create_function('', 'return "utf-8";'));call-me-spoot.php:76
create_functionremove_filter('wp_mail_content_type', create_function('', 'return "text/html";'));call-me-spoot.php:77

Output Escaping

13% escaped8 total outputs
Attack Surface
2 unprotected

Обратный звонок Attack Surface

Entry Points2
Unprotected2

AJAX Handlers 2

authwp_ajax_cms30_sendcall-me-spoot.php:83
noprivwp_ajax_cms30_sendcall-me-spoot.php:84
WordPress Hooks 7
actionplugins_loadedcall-me-spoot.php:14
actionwp_headcall-me-spoot.php:34
actionwp_enqueue_scriptscall-me-spoot.php:35
actionwp_footercall-me-spoot.php:60
actionwp_footercall-me-spoot.php:61
filterwp_mail_charsetcall-me-spoot.php:71
filterwp_mail_content_typecall-me-spoot.php:72
Maintenance & Trust

Обратный звонок Maintenance & Trust

Maintenance Signals

WordPress version tested5.1.22
Last updatedMar 8, 2019
PHP min version
Downloads14K

Community Trust

Rating100/100
Number of ratings2
Active installs100
Alternatives

Обратный звонок Alternatives

WP Request Callback

WP Request Callback

wp-request-callback

A
85

Capture callback requests from potential clients on your site. Use our built in forms or create your own. Simple, customisable, and easy to use.

10 No CVEs
Developer Profile

Обратный звонок Developer Profile

Alex Kuimov

9 plugins · 2K total installs

85
trust score
Avg Security Score
87/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Обратный звонок

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/call-me-spoot/css/font-awesome.css/wp-content/plugins/call-me-spoot/css/style.css/wp-content/plugins/call-me-spoot/js/phone_mask.js/wp-content/plugins/call-me-spoot/js/script.js
Script Paths
/wp-content/plugins/call-me-spoot/js/phone_mask.js/wp-content/plugins/call-me-spoot/js/script.js
Version Parameters
call-me-spoot/css/font-awesome.css?ver=call-me-spoot/css/style.css?ver=call-me-spoot/js/phone_mask.js?ver=call-me-spoot/js/script.js?ver=

HTML / DOM Fingerprints

CSS Classes
cms30_linkcms30_buttoncms30_modal_wrappercms30_close_modalcms30_modal_dialogcms30_containercms30_callback_formcms30_close_modal_min+2 more
Data Attributes
data-cms30-phone-maskdata-cms30-form-submit
JS Globals
ajax_object
Shortcode Output
<a class="cms30_link cms30_button" href="#cms30_call_me"><i class="fa fa-phone-square" aria-hidden="true"></i> Callback request</a><div class="cms30_modal_wrapper" id="cms30_call_me"> <a href="#close" class="cms30_close_modal"></a> <div class="cms30_modal_dialog"> <div class="cms30_container"> <form class="cms30_callback_form" action="#" method="post"> <a href="#close" class="cms30_close_modal_min"></a> <div class="title_h3">Callback form</div> <input name="cms30_phone" class="cms30_phone" placeholder="Phone" type="tel" tabindex="1"> <input type="hidden" name="cms30_msg" class="cms30_msg" value="Thanks!"> <button name="submit" type="submit">Send</button> <a class="copyright" title="Форма обратного звонка WordPress" href="https://cms3.ru/">Форма обратного звонка WordPress</a> </form> </div> </div> </div>
FAQ

Frequently Asked Questions about Обратный звонок