Does Contact Manager have any unpatched vulnerabilities?

Yes — Contact Manager currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Contact Manager compatible with WordPress 6.9.4?

According to WordPress.org data, Contact Manager 9.1.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Contact Manager compatible with PHP 5.3+?

Contact Manager requires PHP 5.3 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Contact Manager updated?

Contact Manager was last updated on Feb 12, 2026. Frequent updates are generally a positive security signal.

What is Contact Manager's security score?

Contact Manager has a WP-Safety security score of 66/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Contact Manager Security & Risk Analysis

wordpress.org/plugins/contact-manager

Allows you to create and manage your contact forms and messages.

100 active installs v9.1.1 PHP 5.3+ WP 3.8+ Updated Feb 12, 2026

captchacaptchascontactemailemails

C · Use Caution

CVEs total4

Unpatched1

Last CVEMar 23, 2026

Plugin page Download

Safety Verdict

Is Contact Manager Safe to Use in 2026?

Use With Caution

Score 66/100

Contact Manager has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

4 known CVEs 1 unpatched Last CVE: Mar 23, 2026Updated 1mo ago

Risk Assessment

The "contact-manager" plugin v9.1.1 exhibits several concerning security weaknesses despite a seemingly controlled attack surface. While the plugin has a limited number of entry points (3 shortcodes) and no directly unprotected AJAX or REST API routes, the static analysis reveals significant risks within its codebase. The presence of 6 "unserialize" calls is a major red flag, as deserialization of untrusted data is a common attack vector. Furthermore, only a minuscule 10% of outputs are properly escaped, suggesting a high likelihood of Cross-Site Scripting (XSS) vulnerabilities. The taint analysis also highlights 4 high-severity flows with unsanitized paths, indicating potential for malicious data to be processed without proper validation.

The vulnerability history is particularly worrying. With 3 known CVEs, 1 of which is currently unpatched and 2 being high severity, this plugin has a track record of significant security flaws. The types of past vulnerabilities (Deserialization, XSS, Unrestricted Upload) directly correlate with the risks identified in the static analysis. The recentness of the last vulnerability (2026-02-04) suggests ongoing or recently discovered issues. While the plugin demonstrates some strengths like a good number of capability checks (78) and a low percentage of uninitiated SQL queries (1% prepared), these are overshadowed by the critical risks associated with unserialization, XSS potential, and the history of exploitable vulnerabilities.

Key Concerns

Unpatched high severity CVE
Multiple high severity taint flows
Dangerous function: unserialize usage
Low percentage of properly escaped output
Two high severity known CVEs
One medium severity known CVE
High percentage of raw SQL queries
File operations present
External HTTP requests present

Vulnerabilities

Contact Manager Security Vulnerabilities

CVEs by Year

2 CVEs in 2025

2025

2 CVEs in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

High

Medium

4 total CVEs

CVE-2026-32517medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Manager <= 9.1 - Reflected Cross-Site Scripting

Mar 23, 2026 Patched in 9.1.1 (4d)

CVE-2025-68853high · 8.1Deserialization of Untrusted Data

Contact Manager <= 9.1 - Unauthenticated PHP Object Injection

Feb 4, 2026Unpatched

CVE-2025-8783medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Manager <= 8.6.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'title'

Aug 18, 2025 Patched in 8.6.6 (1d)

CVE-2025-1028high · 8.1Unrestricted Upload of File with Dangerous Type

Contact Manager <= 8.6.4 - Unauthenticated Arbitrary Double File Extension Upload

Feb 4, 2025 Patched in 8.6.5 (191d)

Code Analysis

Analyzed Mar 16, 2026

Contact Manager Code Analysis

Dangerous Functions

Raw SQL Queries

129

1 prepared

Unescaped Output

568

63 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$GLOBALS['kleor_assistant'] = (array) (is_serialized($body) ? unserialize($body) : array()); }admin-pages-functions.php:54

unserialize$item_custom_fields = (array) unserialize(htmlspecialchars_decode($_POST['custom_fields']));form-page.php:140

unserialize$custom_fields = (array) unserialize(stripslashes($message['custom_fields']));includes\add-message.php:32

unserialize$item_custom_fields = (array) unserialize(stripslashes($item_data['custom_fields']));includes\item-data.php:49

unserialize$item_custom_fields = (array) unserialize(htmlspecialchars_decode($_POST['custom_fields']));message-page.php:191

unserialize$item_custom_fields = (array) unserialize($data);tables-functions.php:143

SQL Query Safety

1% prepared130 total queries

Output Escaping

10% escaped631 total outputs

Data Flows

7 unsanitized

Data Flow Analysis

16 flows7 with unsanitized paths

contact_manager_pages_search_field (admin-pages-functions.php:486)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Contact Manager Attack Surface

Entry Points3

Unprotected0

Shortcodes 3

[user] contact-manager.php:183

[contact-manager] contact-manager.php:184

[sender] contact-manager.php:189

WordPress Hooks 22

actionadmin_bar_menuadmin-pages-functions.php:18

actionadmin_headadmin-pages-functions.php:132

actionadmin_footeradmin-pages-functions.php:215

actionadmin_footeradmin-pages-functions.php:338

actionadmin_enqueue_scriptsadmin-pages-functions.php:775

actionadmin_enqueue_scriptsadmin-pages-functions.php:776

actionadmin_enqueue_scriptsadmin-pages-functions.php:778

actionadmin_footeradmin-pages-functions.php:779

actionadmin_menuadmin.php:23

actionadd_meta_boxesadmin.php:55

filterplugin_row_metaadmin.php:80

filtercontact_autoresponderscontact-manager.php:93

actioninitcontact-manager.php:98

actioninitcontact-manager.php:139

filterwp_insert_post_datacontact-manager.php:195

actionwp_footerforms.php:31

actionwp_footerforms.php:157

actionwp_footerincludes\forms\captcha.php:21

actionwp_footerincludes\forms\captcha.php:30

filterthe_postsincludes\preview.php:35

actionadmin_footermessage-page.php:562

actionadmin_footermessage-page.php:651

Maintenance & Trust

Contact Manager Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 12, 2026

PHP min version5.3

Downloads51K

Community Trust

Rating100/100

Number of ratings1

Active installs100

Alternatives

Contact Manager Alternatives

HTML Template for CF7

cf7-html-email-template-extension

100

Improve your Contact Form 7 emails with a HTML Template.

1K No CVEs

Email Checker for Contact Form 7

email-checker-for-contact-form-7

100

Emails Checker will allow you to avoid spam email inboxes and spam contact form filling by verifying the user's email address using emails-checke …

100 No CVEs

Nino contact form

nino-contact-form

The easiest way to get contact form to your site.

30 No CVEs

Simple Email Form

snsimple-email

Simple Email Form creates a simple email contact form to your WordPress site.

30 No CVEs

Lana Contact Form

lana-contact-form

Easy to use contact form with captcha

20 No CVEs

Developer Profile

Contact Manager Developer Profile

Kleor

4 plugins · 1K total installs

trust score

Avg Security Score

91/100

Avg Patch Time

49 days

View full developer profile

Detection Fingerprints

How We Detect Contact Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/contact-manager/libraries/css/contact-manager-style.css/wp-content/plugins/contact-manager/libraries/css/contact-manager-colors.css/wp-content/plugins/contact-manager/libraries/css/bootstrap.min.css/wp-content/plugins/contact-manager/libraries/css/bootstrap-responsive.min.css/wp-content/plugins/contact-manager/libraries/css/font-awesome.min.css/wp-content/plugins/contact-manager/libraries/css/jquery-ui.min.css/wp-content/plugins/contact-manager/libraries/css/jquery-ui.structure.min.css/wp-content/plugins/contact-manager/libraries/css/jquery-ui.theme.min.css+14 more

Script Paths

/wp-content/plugins/contact-manager/libraries/js/jquery.min.js/wp-content/plugins/contact-manager/libraries/js/bootstrap.min.js/wp-content/plugins/contact-manager/libraries/js/jquery-ui.min.js/wp-content/plugins/contact-manager/libraries/js/contact-manager-admin.js/wp-content/plugins/contact-manager/libraries/js/contact-manager-public.js/wp-content/plugins/contact-manager/libraries/js/contact-manager-public-validation.js+6 more

Version Parameters

/wp-content/plugins/contact-manager/libraries/css/contact-manager-style.css?ver=/wp-content/plugins/contact-manager/libraries/css/contact-manager-colors.css?ver=/wp-content/plugins/contact-manager/libraries/css/bootstrap.min.css?ver=/wp-content/plugins/contact-manager/libraries/css/bootstrap-responsive.min.css?ver=/wp-content/plugins/contact-manager/libraries/css/font-awesome.min.css?ver=/wp-content/plugins/contact-manager/libraries/css/jquery-ui.min.css?ver=/wp-content/plugins/contact-manager/libraries/css/jquery-ui.structure.min.css?ver=/wp-content/plugins/contact-manager/libraries/css/jquery-ui.theme.min.css?ver=/wp-content/plugins/contact-manager/libraries/css/contact-manager-admin.css?ver=/wp-content/plugins/contact-manager/libraries/css/bootstrap-datetimepicker.css?ver=/wp-content/plugins/contact-manager/libraries/js/jquery.min.js?ver=/wp-content/plugins/contact-manager/libraries/js/bootstrap.min.js?ver=/wp-content/plugins/contact-manager/libraries/js/jquery-ui.min.js?ver=/wp-content/plugins/contact-manager/libraries/js/contact-manager-admin.js?ver=/wp-content/plugins/contact-manager/libraries/js/contact-manager-public.js?ver=/wp-content/plugins/contact-manager/libraries/js/contact-manager-public-validation.js?ver=/wp-content/plugins/contact-manager/libraries/js/bootstrap-datetimepicker.js?ver=/wp-content/plugins/contact-manager/libraries/js/jquery.form.js?ver=/wp-content/plugins/contact-manager/libraries/js/jquery.validate.min.js?ver=/wp-content/plugins/contact-manager/libraries/js/additional-methods.min.js?ver=/wp-content/plugins/contact-manager/libraries/js/jquery.magnific-popup.min.js?ver=/wp-content/plugins/contact-manager/libraries/js/jquery.mask.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

contact-manager-formcontact-manager-captchacontact-manager-recaptchacontact-manager-textareacontact-manager-file-upload

HTML Comments

+2 more

Data Attributes

data-contact-manager-form-iddata-contact-manager-field-name

JS Globals

contact_manager_admin_paramscontact_manager_public_paramscontact_manager_public_validation_paramscontact_manager_captcha_params

Shortcode Output

[contact_form[contact_manager_form[contact_data[contact_form_category

FAQ