WP-Safety

Booking for Appointments and Events Calendar – Amelia Security & Risk Analysis

wordpress.org/plugins/ameliabooking

Amelia is a powerful booking plugin for appointments and events. Manage scheduling, calendars, and availability with an all-in-one booking system.

90K active installs v2.1.2 PHP 7.4+ WP 5.3+ Updated Mar 10, 2026
appointmentsbookingbooking-systemevent-booking-systemscheduling
88
A · Safe
CVEs total23
Unpatched0
Last CVEMar 4, 2026
Plugin page Download
Safety Verdict

Is Booking for Appointments and Events Calendar – Amelia Safe to Use in 2026?

Generally Safe

Score 88/100

Booking for Appointments and Events Calendar – Amelia has a strong security track record. Known vulnerabilities have been patched promptly.

23 known CVEsLast CVE: Mar 4, 2026Updated 24d ago
Risk Assessment

The ameliabooking plugin version 2.1.2 exhibits a mixed security posture, with some positive security implementations alongside significant areas of concern. On the positive side, the plugin demonstrates good practices in handling SQL queries with a high percentage (83%) using prepared statements and a robust output escaping rate (92%). It also utilizes capability checks frequently and incorporates several common bundled libraries in what appears to be their intended manner. However, the presence of two dangerous function calls to `unserialize` raises immediate red flags, as deserialization vulnerabilities can be critical if not handled with extreme care. Furthermore, the taint analysis reveals three flows with unsanitized paths, indicating potential vulnerabilities related to input handling.

Key Concerns

  • Unsanitized taint flows detected
  • Dangerous unserialize function usage
  • AJAX handlers without authentication
  • Significant number of historical CVEs
  • Missing nonce checks on AJAX handlers
  • Bundled outdated Guzzle library
Vulnerabilities
23

Booking for Appointments and Events Calendar – Amelia Security Vulnerabilities

CVEs by Year

7 CVEs in 2022
2022
2 CVEs in 2023
2023
7 CVEs in 2024
2024
4 CVEs in 2025
2025
3 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

High
4
Medium
19

23 total CVEs

CVE-2026-24963high · 8.8Incorrect Privilege Assignment

Booking for Appointments and Events Calendar – Amelia <= 1.2.38 - Authenticated (Employee+) Privilege Escalation

Mar 4, 2026 Patched in 2.0 (9d)
CVE-2026-24967medium · 5.3Missing Authorization

Amelia <= 1.2.38 - Missing Authorization

Jan 11, 2026 Patched in 2.0 (31d)
CVE-2025-14720medium · 5.3Missing Authorization

Booking for Appointments and Events Calendar – Amelia <= 1.2.38 - Missing Authorization to Unauthenticated Multiple AJAX Actions

Jan 8, 2026 Patched in 2.0.0 (1d)
CVE-2023-49282medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Amelia 1.2.18 - 1.2.36 - Unauthenticated Sensitive Information Exposure

Nov 18, 2025 Patched in 1.2.37 (60d)
CVE-2025-12482high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Booking for Appointments and Events Calendar – Amelia <= 1.2.35 - Unauthenticated SQL Injection via search

Nov 15, 2025 Patched in 1.2.36 (1d)
CVE-2025-2578medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Booking for Appointments and Events Calendar – Amelia <= 1.2.19 - Unauthenticated Full Path Disclosure

Mar 27, 2025 Patched in 1.2.20 (1d)
CVE-2025-26965medium · 5.3Authorization Bypass Through User-Controlled Key

Amelia <= 1.2.16 - Unauthenticated Insecure Direct Object Reference

Feb 23, 2025 Patched in 1.2.17 (9d)
CVE-2024-6332medium · 6.5Missing Authorization

Booking for Appointments and Events Calendar – Amelia Premium <= 7.7 and Lite <= 1.2.4 - Missing Authorization to Sensitive Information Exposure

Sep 4, 2024 Patched in 1.2.5 (510d)
CVE-2024-6552medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Booking for Appointments and Events Calendar – Amelia <= 1.2 - Unauthenticated Full Path Disclosure

Aug 7, 2024 Patched in 1.2.1 (1d)
CVE-2024-6225medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Amelia <= 1.1.5 & Amelia (Pro) <= 7.5.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Jun 20, 2024 Patched in 1.1.6 (44d)
CVE-2024-31425medium · 4.3Cross-Site Request Forgery (CSRF)

Amelia <= 1.0.95 - Cross-Site Request Forgery

Apr 10, 2024 Patched in 1.0.96 (7d)
CVE-2024-1484medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Booking for Appointments and Events Calendar – Amelia <= 1.0.98 - Reflected Cross-Site Scripting

Feb 29, 2024 Patched in 1.0.99 (93d)
CVE-2023-6808medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Booking for Appointments and Events Calendar – Amelia <= 1.0.93 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

Jan 18, 2024 Patched in 1.0.94 (194d)
CVE-2024-22298medium · 6.5Missing Authorization

Amelia <= 1.0.98 - Missing Authorization

Jan 17, 2024 Patched in 1.0.99 (58d)
CVE-2023-50860medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Booking for Appointments and Events Calendar – Amelia <= 1.0.85 - Stored Cross-Site Scripting via Shortcode

Dec 22, 2023 Patched in 1.0.86 (32d)
CVE-2023-29427medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Amelia <= 1.0.75 - Unauthenticated Reflected Cross-Site Scripting via 'code'

Apr 6, 2023 Patched in 1.0.76 (292d)
CVE-2022-0825medium · 5.4Incorrect Authorization

Appointment and Event Booking Calendar for WordPress – Amelia < 1.0.49 - Arbitrary Booking Update and Sensitive Data Exposure

Mar 14, 2022 Patched in 1.0.49 (680d)
CVE-2022-0837medium · 6.4Incorrect Authorization

Appointment and Event Booking Calendar for WordPress – Amelia <= 1.0.47 - Information Disclosure and SMS Spam

Mar 14, 2022 Patched in 1.0.48 (680d)
CVE-2022-0834high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Amelia <= 1.0.46 - Stored Cross Site Scripting via lastName

Mar 2, 2022 Patched in 1.0.47 (692d)
CVE-2022-0720medium · 5.4Incorrect Authorization

Appointment and Event Booking Calendar for WordPress - Amelia < 1.0.47 - Arbitrary Booking Update and Sensitive Data Exposure

Mar 1, 2022 Patched in 1.0.47 (693d)
CVE-2022-0616medium · 4.3Cross-Site Request Forgery (CSRF)

Amelia <= 1.0.46 - Cross-Site Request Forgery

Feb 23, 2022 Patched in 1.0.47 (699d)
CVE-2022-0627medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Amelia <= 1.0.46 - Reflected Cross-Site Scripting

Feb 23, 2022 Patched in 1.0.47 (699d)
CVE-2022-0687high · 8.8Unrestricted Upload of File with Dangerous Type

Appointment and Event Booking Calendar - Amelia < 1.0.47 - Arbitrary File Upload

Feb 23, 2022 Patched in 1.0.47 (699d)
Code Analysis
Analyzed Mar 17, 2026

Booking for Appointments and Events Calendar – Amelia Code Analysis

Dangerous Functions
2
Raw SQL Queries
61
299 prepared
Unescaped Output
19
207 escaped
Nonce Checks
1
Capability Checks
16
File Operations
17
External Requests
19
Bundled Libraries
5

Dangerous Functions Found

unserialize$self = unserialize(sprintf('O:%u:"%s":0:{}', strlen(self::class), self::class));src\Domain\ValueObjects\String\Password.php:46
unserializereturn $body && isset($body->info) ? unserialize($body->info) : false;src\Infrastructure\WP\InstallActions\AutoUpdateHook.php:165

Bundled Libraries

DataTablesTinyMCEGuzzle1.1PHPMailerStripe PHP

SQL Query Safety

83% prepared360 total queries

Output Escaping

92% escaped226 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths
getCurrentLocationCountryIso (src\Application\Services\Location\LiteCurrentLocation.php:24)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Booking for Appointments and Events Calendar – Amelia Attack Surface

Entry Points9
Unprotected3

AJAX Handlers 3

authwp_ajax_amelia_remove_wpdt_promo_noticeameliabooking.php:654
authwp_ajax_wpamelia_apiameliabooking.php:664
noprivwp_ajax_wpamelia_apiameliabooking.php:665

Shortcodes 6

[ameliabooking] ameliabooking.php:284
[ameliacatalog] ameliabooking.php:285
[ameliaevents] ameliabooking.php:286
[ameliaeventslistbooking] ameliabooking.php:287
[ameliastepbooking] ameliabooking.php:288
[ameliacatalogbooking] ameliabooking.php:289
WordPress Hooks 66
filterwoocommerce_prevent_admin_accessameliabooking.php:225
filterwoocommerce_after_order_itemmetaameliabooking.php:237
filtercron_schedulesameliabooking.php:243
actionamelia_square_access_token_refreshameliabooking.php:255
filterblock_categories_allameliabooking.php:278
filterlearn-press/frontend-default-scriptsameliabooking.php:279
filterlearn-press/frontend-default-scriptsameliabooking.php:283
actionwp_headameliabooking.php:305
actionadmin_noticesameliabooking.php:592
actionadmin_headameliabooking.php:656
actionwp_loadedameliabooking.php:660
actionplugins_loadedameliabooking.php:668
actionadmin_initameliabooking.php:670
actionadmin_menuameliabooking.php:672
actionwpmu_new_blogameliabooking.php:681
filterscript_loader_tagameliabooking.php:691
filterstyle_loader_tagameliabooking.php:692
filterscript_loader_tagameliabooking.php:694
filterstyle_loader_tagameliabooking.php:695
filterplugin_row_metaameliabooking.php:697
actionwp_logoutameliabooking.php:700
actionprofile_updateameliabooking.php:701
actiondeleted_userameliabooking.php:702
actionadmin_enqueue_scriptsameliabooking.php:705
actionafter_setup_themeextensions\divi_5_amelia\divi-5-amelia.php:43
actiondivi_visual_builder_assets_before_enqueue_scriptsextensions\divi_5_amelia\divi-5-amelia.php:72
actionet_fb_framework_loadedextensions\divi_5_amelia\divi-5-amelia.php:179
actioninitextensions\divi_5_amelia\server\AmeliaBookingModule.php:20
actioninitextensions\divi_5_amelia\server\AmeliaCatalogBookingModule.php:18
actioninitextensions\divi_5_amelia\server\AmeliaCatalogModule.php:20
actioninitextensions\divi_5_amelia\server\AmeliaCustomerPanelModule.php:20
actioninitextensions\divi_5_amelia\server\AmeliaEmployeePanelModule.php:20
actioninitextensions\divi_5_amelia\server\AmeliaEventsCalendarModule.php:20
actioninitextensions\divi_5_amelia\server\AmeliaEventsListModule.php:20
actioninitextensions\divi_5_amelia\server\AmeliaEventsModule.php:20
actioninitextensions\divi_5_amelia\server\AmeliaSearchModule.php:20
actioninitextensions\divi_5_amelia\server\AmeliaStepBookingModule.php:20
filterdivi.moduleLibrary.conversion.valueExpansionFunctionMapextensions\divi_5_amelia\server\index.php:108
actiondivi_module_library_modules_dependency_treeextensions\divi_5_amelia\server\index.php:140
actiondivi_module_library_modules_dependency_treeextensions\divi_5_amelia\server\index.php:147
actiondivi_module_library_modules_dependency_treeextensions\divi_5_amelia\server\index.php:154
actiondivi_module_library_modules_dependency_treeextensions\divi_5_amelia\server\index.php:161
actiondivi_module_library_modules_dependency_treeextensions\divi_5_amelia\server\index.php:168
actiondivi_module_library_modules_dependency_treeextensions\divi_5_amelia\server\index.php:175
actiondivi_module_library_modules_dependency_treeextensions\divi_5_amelia\server\index.php:182
actiondivi_module_library_modules_dependency_treeextensions\divi_5_amelia\server\index.php:191
actiondivi_module_library_modules_dependency_treeextensions\divi_5_amelia\server\index.php:198
actiondivi_module_library_modules_dependency_treeextensions\divi_5_amelia\server\index.php:205
actiondivi_extensions_initextensions\divi_amelia\divi_amelia.php:41
filteramelia_user_profile_updatedsrc\Application\Commands\User\Customer\UpdateCustomerCommandHandler.php:149
filteramelia_user_profile_updatedsrc\Application\Commands\User\Customer\UpdateCustomerCommandHandler.php:172
filteramelia_user_profile_updatedsrc\Application\Commands\User\Provider\UpdateProviderCommandHandler.php:218
filteramelia_user_profile_updatedsrc\Application\Commands\User\Provider\UpdateProviderCommandHandler.php:238
filtermce_external_pluginssrc\Infrastructure\WP\ButtonService\ButtonService.php:41
filtermce_buttonssrc\Infrastructure\WP\ButtonService\ButtonService.php:42
actionafter_wp_tiny_mcesrc\Infrastructure\WP\ButtonService\ButtonService.php:44
actionadmin_enqueue_scriptssrc\Infrastructure\WP\ButtonService\ButtonService.php:46
actionelementor/editor/before_enqueue_scriptssrc\Infrastructure\WP\Elementor\ElementorBlock.php:38
actionelementor/widgets/registersrc\Infrastructure\WP\Elementor\ElementorBlock.php:39
actionelementor/frontend/after_enqueue_stylessrc\Infrastructure\WP\Elementor\ElementorBlock.php:40
actionelementor/elements/categories_registeredsrc\Infrastructure\WP\Elementor\ElementorBlock.php:41
actionadmin_noticessrc\Infrastructure\WP\ErrorService\ErrorService.php:21
actionenqueue_block_editor_assetssrc\Infrastructure\WP\GutenbergBlock\GutenbergBlock.php:53
actionadmin_headsrc\Infrastructure\WP\WPMenu\Submenu.php:64
actionadmin_initsrc\Infrastructure\WP\WPMenu\Submenu.php:86
actionadmin_enqueue_scriptssrc\Infrastructure\WP\WPMenu\Submenu.php:95

Scheduled Events 1

amelia_square_access_token_refresh
Maintenance & Trust

Booking for Appointments and Events Calendar – Amelia Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 10, 2026
PHP min version7.4
Downloads1.3M

Community Trust

Rating92/100
Number of ratings751
Active installs90K
Alternatives

Booking for Appointments and Events Calendar – Amelia Alternatives

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

simply-schedule-appointments

A
88

Unlimited appointments, booking calendars, and notifications. Powerful appointment booking plugin and booking system. Start scheduling for free today!

60K 21 CVEs
Bookings for WooCommerce – Create Booking Calendar, Start Scheduling, Manage Bookings And Appointments

Bookings for WooCommerce – Create Booking Calendar, Start Scheduling, Manage Bookings And Appointments

mwb-bookings-for-woocommerce

A
100

This WordPress Booking Plugin lets you manage full-day bookings, service appointments, Accept/reject bookings, show booking availability & much more.

4K No CVEs
Advanced Appointment Booking & Scheduling

Advanced Appointment Booking & Scheduling

advanced-appointment-booking-scheduling

B
78

Advanced Appointment Booking & Scheduling: Effortlessly manage appointments with a simple, user-friendly scheduling system.

3K 1 unpatched
Easy Appointment Booking & Scheduling System – Webba Booking Calendar

Easy Appointment Booking & Scheduling System – Webba Booking Calendar

webba-booking-lite

A
95

Free Appointment Booking Plugin 📅 Unlimited appointments, booking management, calendar sync, notifications, 5* support = powerful booking system!

3K 7 CVEs
Time Slot – Booking and Appointment Scheduling

Time Slot – Booking and Appointment Scheduling

timeslot

A
98

Book appointments, organize your schedule, send notifications, and more. Keep booking simple for everyone with Time Slot.

200 2 CVEs
Developer Profile

Booking for Appointments and Events Calendar – Amelia Developer Profile

ameliabooking

2 plugins · 91K total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
248 days
View full developer profile
Detection Fingerprints

How We Detect Booking for Appointments and Events Calendar – Amelia

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ameliabooking/assets/css/booking.css/wp-content/plugins/ameliabooking/assets/css/main.css/wp-content/plugins/ameliabooking/assets/css/vendors.css/wp-content/plugins/ameliabooking/assets/js/booking.js/wp-content/plugins/ameliabooking/assets/js/main.js/wp-content/plugins/ameliabooking/assets/js/vendors.js/wp-content/plugins/ameliabooking/assets/js/flatpickr.min.js/wp-content/plugins/ameliabooking/assets/js/tippy.min.js+2 more
Script Paths
/wp-content/plugins/ameliabooking/assets/js/booking.js/wp-content/plugins/ameliabooking/assets/js/main.js/wp-content/plugins/ameliabooking/assets/js/vendors.js/wp-content/plugins/ameliabooking/assets/js/flatpickr.min.js/wp-content/plugins/ameliabooking/assets/js/tippy.min.js/wp-content/plugins/ameliabooking/assets/js/moment.min.js+1 more
Version Parameters
ameliabooking/assets/css/booking.css?ver=ameliabooking/assets/css/main.css?ver=ameliabooking/assets/css/vendors.css?ver=ameliabooking/assets/js/booking.js?ver=ameliabooking/assets/js/main.js?ver=ameliabooking/assets/js/vendors.js?ver=ameliabooking/assets/js/flatpickr.min.js?ver=ameliabooking/assets/js/tippy.min.js?ver=ameliabooking/assets/js/moment.min.js?ver=ameliabooking/assets/js/moment-timezone-with-data.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
amelia-booking-wrapperamelia-step-bookingamelia-catalog-bookingamelia-catalogamelia-eventsamelia-events-list-bookingamelia-admin-pageam-row+6 more
HTML Comments
<!-- Amelia Elementor Block --><!-- Amelia Gutenberg Block --><!-- Amelia Booking Gutenberg Block --><!-- Amelia Step Booking Gutenberg Block -->+4 more
Data Attributes
data-amelia-booking-urldata-amelia-booking-iddata-amelia-booking-stepdata-amelia-booking-settingsdata-amelia-booking-datesdata-amelia-booking-locale+2 more
JS Globals
AmeliaBookingAmeliaBookingAppAmeliaBookingSettingsAmeliaBookingAjax
REST Endpoints
/wp-json/amelia-booking/v1/bookings/wp-json/amelia-booking/v1/appointments/wp-json/amelia-booking/v1/events/wp-json/amelia-booking/v1/services/wp-json/amelia-booking/v1/settings/wp-json/amelia-booking/v1/users/wp-json/amelia-booking/v1/locations/wp-json/amelia-booking/v1/notifications/wp-json/amelia-booking/v1/payments/wp-json/amelia-booking/v1/coupons
Shortcode Output
[ameliafullscreen][ameliareservation][ameliareservation calendar][ameliareservation cart]
FAQ

Frequently Asked Questions about Booking for Appointments and Events Calendar – Amelia