WP-Safety

ScuolaSemplice Contacts Security & Risk Analysis

wordpress.org/plugins/scuolasemplice-contacts

Plugin that allows you to publish contact forms to acquire leads and student data that will be automatically imported into the ScuolaSemplice software

20 active installs v1.7 PHP 5.6+ WP 5.3+ Updated Dec 6, 2024
contactscrmdynamic-formsleadsscuolasemplice
92
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is ScuolaSemplice Contacts Safe to Use in 2026?

Generally Safe

Score 92/100

ScuolaSemplice Contacts has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago
Risk Assessment

The scuolasemplice-contacts plugin v1.7 exhibits a concerning security posture due to a significant number of unprotected AJAX handlers. With 8 out of 8 AJAX handlers lacking authentication checks, this presents a substantial attack surface, making it highly vulnerable to unauthorized actions. The taint analysis further highlights this risk, with all 12 analyzed flows having unsanitized paths, including 10 of high severity. This indicates a high likelihood of code injection or data manipulation vulnerabilities being exploitable through these flows.

While the plugin shows some good practices like a relatively high percentage of prepared statements for SQL queries and a decent amount of output escaping, these strengths are heavily overshadowed by the critical lack of authorization on AJAX endpoints and the pervasive taint issues. The absence of any recorded CVEs is a positive sign, suggesting the plugin might not have been widely targeted or previously vulnerable. However, the current static analysis reveals significant weaknesses that could easily lead to exploitable vulnerabilities. The plugin's overall security is thus compromised by these critical oversights, demanding immediate attention.

Key Concerns

  • Unprotected AJAX handlers
  • Taint flows with unsanitized paths (High severity)
  • Dangerous function: unserialize
  • No nonce checks
  • Bundled outdated library: DataTables v1.10.20
Vulnerabilities
None known

ScuolaSemplice Contacts Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

ScuolaSemplice Contacts Code Analysis

Dangerous Functions
2
Raw SQL Queries
11
23 prepared
Unescaped Output
43
69 escaped
Nonce Checks
0
Capability Checks
5
File Operations
1
External Requests
2
Bundled Libraries
1

Dangerous Functions Found

unserialize$data = unserialize(base64_decode($_GET['act']));ScuolasemplceContacts_Plugin.php:215
unserialize'data' => unserialize( $results[0]->formdata )ScuolasemplceContacts_Plugin.php:361

Bundled Libraries

DataTables1.10.20

SQL Query Safety

68% prepared34 total queries

Output Escaping

62% escaped112 total outputs
Data Flows
12 unsanitized

Data Flow Analysis

12 flows12 with unsanitized paths
settingsPage (ScuolasemplceContacts_OptionsManager.php:500)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
8 unprotected

ScuolaSemplice Contacts Attack Surface

Entry Points9
Unprotected8

AJAX Handlers 8

authwp_ajax_apiforms_datatablesScuolasemplceContacts_Plugin.php:162
authwp_ajax_apiforms_deleteScuolasemplceContacts_Plugin.php:164
authwp_ajax_enquiry_datatablesScuolasemplceContacts_Plugin.php:166
authwp_ajax_enquiry_deleteScuolasemplceContacts_Plugin.php:168
authwp_ajax_enquiry_viewScuolasemplceContacts_Plugin.php:170
authwp_ajax_apiforms_viewScuolasemplceContacts_Plugin.php:172
authwp_ajax_apiforms_submitScuolasemplceContacts_Plugin.php:174
noprivwp_ajax_apiforms_submitScuolasemplceContacts_Plugin.php:175

Shortcodes 1

[ScuolasemplceForm] ScuolasemplceContacts_Plugin.php:158
WordPress Hooks 13
actionadmin_noticesscuolasemplceContacts.php:43
actionplugins_loadedscuolasemplceContacts.php:71
actionadmin_menuScuolasemplceContacts_Plugin.php:133
actionadmin_footerScuolasemplceContacts_Plugin.php:134
actionfetchfield_cron_hookScuolasemplceContacts_Plugin.php:147
actionadmin_headScuolasemplceContacts_Plugin.php:178
actionadmin_initScuolasemplceContacts_Plugin.php:179
actionadmin_enqueue_scriptsScuolasemplceContacts_Plugin.php:180
actionshow_user_profileScuolasemplceContacts_Plugin.php:184
actionedit_user_profileScuolasemplceContacts_Plugin.php:185
actioninitScuolasemplceContacts_Plugin.php:188
filterauthenticateScuolasemplceContacts_Plugin.php:189
actionlogin_headScuolasemplceContacts_Plugin.php:190

Scheduled Events 1

fetchfield_cron_hook
Maintenance & Trust

ScuolaSemplice Contacts Maintenance & Trust

Maintenance Signals

WordPress version tested5.3.21
Last updatedDec 6, 2024
PHP min version5.6
Downloads1K

Community Trust

Rating100/100
Number of ratings1
Active installs20
Alternatives

ScuolaSemplice Contacts Alternatives

Lenix Leads Collector

Lenix Leads Collector

lenix-elementor-leads-addon

A
98

Leads Collector, Collects forms entries from Elementor,Cf7,WPForms and more with export to CSV.

10K 1 CVE
LeadSnap

LeadSnap

leadsnap

B
83

Save the leads to our lead management system CRM generated by Contact Form 7

1K 1 CVE
CRM and Lead Management by vcita

CRM and Lead Management by vcita

crm-customer-relationship-management-by-vcita

A
96

CRM for WordPress: a powerful, all-in-one client management tool that will help you keep your clients close and create long-lasting customer relations …

100 5 CVEs
Wise Agent Lead Forms

Wise Agent Lead Forms

wiseagentleadform

A
100

Short Description: The Wise Agent WordPress plugin lets you easily add capture forms to any page on your WordPress site.

100 1 CVE
Sprout Clients – CRM and Lead Management

Sprout Clients – CRM and Lead Management

sprout-clients

A
95

Properly leveraging your contact lists isn’t sending out a single email to the entire list asking for work — instead you need to build business relati …

70 3 CVEs
Developer Profile

ScuolaSemplice Contacts Developer Profile

BluCloud Srl

1 plugin · 20 total installs

88
trust score
Avg Security Score
92/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect ScuolaSemplice Contacts

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/scuolasemplice-contacts/css//wp-content/plugins/scuolasemplice-contacts/js/

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about ScuolaSemplice Contacts