I agree this is just spam, but to partly answer your question, it is possible to get hacked from a form submit if the form contents are saved in the DB. This is how SQL injection attacks work. It’s easy to prevent by validating and sanitizing all input.
In your case where the form contents are forwarded to email and never stored on your DB, I believe you are pretty safe. There used to be attack vectors like buffer overruns, but I would expect modern systems are protected from such attacks. I don’t claim to be a security expert though, I could be wrong about the safety of form contents being emailed. I would still validate and sanitize content destined for email because the content will be stored somewhere, even if not my server. No one wants to be responsible for relaying malicious content.
And my take on auto-play if you don’t mind. You do need to make things important to your site easy for clueless people to find, no argument. I question if auto-play is the way to do it. I would suggest you lose more users like Jan and I due to auto-play than you gain by making content easy to find for the clueless. It is not out of fear that I quickly close such pages, it is out of annoyance. I maintain you can make content easy to find with proper page design without the need for auto-play.
Admittedly, I don’t know your target audience nor what you are offering besides lessons of some sort. I do know auto-play annoys a lot of people. It is your site, you may do with it as you please. I’m not suggesting you should do as I would like, just that if you haven’t, you might consider if the auto-play advantages really do outweigh the drawbacks.
