Does Appointment Booking Calendar have any unpatched vulnerabilities?

No. All known vulnerabilities in Appointment Booking Calendar have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Appointment Booking Calendar compatible with WordPress 6.9.4?

According to WordPress.org data, Appointment Booking Calendar 1.3.99 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Appointment Booking Calendar updated?

Appointment Booking Calendar was last updated on Feb 5, 2026. Frequent updates are generally a positive security signal.

What is Appointment Booking Calendar's security score?

Appointment Booking Calendar has a WP-Safety security score of 77/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Appointment Booking Calendar Security & Risk Analysis

Name: Appointment Booking Calendar
Rating: 4.2 (92 reviews)

wordpress.org/plugins/appointment-booking-calendar

Appointment Booking Calendar is an appointment calendar for accepting online bookings from a set of available time-slots in a calendar.

1K active installs v1.3.99 PHP + WP 3.0.5+ Updated Feb 5, 2026

appointmentappointment-calendarbookingbooking-calendarcalendar

B · Generally Safe

CVEs total14

Unpatched0

Last CVENov 21, 2025

Plugin page Download

Safety Verdict

Is Appointment Booking Calendar Safe to Use in 2026?

Mostly Safe

Score 77/100

Appointment Booking Calendar is generally safe to use. 14 past CVEs were resolved. Keep it updated.

14 known CVEsLast CVE: Nov 21, 2025Updated 1mo ago

Risk Assessment

The "appointment-booking-calendar" plugin v1.3.99 exhibits a mixed security posture. While it demonstrates strong adherence to modern WordPress development practices with a high percentage of properly escaped outputs and the use of prepared statements for most SQL queries, several concerning signals remain. The presence of the `unserialize` function is a significant red flag, as it can lead to Remote Code Execution if not handled with extreme care and is a common vector for vulnerabilities. The taint analysis revealing 9 high-severity flows with unsanitized paths indicates potential injection vulnerabilities that could be exploited if these paths are reachable by unauthenticated users or if authorization checks are insufficient.

Key Concerns

Dangerous function: unserialize used
High severity taint flows with unsanitized paths
Significant historical CVEs across multiple types

Vulnerabilities

Appointment Booking Calendar Security Vulnerabilities

CVEs by Year

2 CVEs in 2015

2015

3 CVEs in 2016

2016

1 CVE in 2019

2019

2 CVEs in 2020

2020

1 CVE in 2022

2022

1 CVE in 2024

2024

4 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

14 total CVEs

CVE-2025-13317medium · 5.3Missing Authorization

Appointment Booking Calendar <= 1.3.96 - Missing Authorization to Arbitrary Booking Confirmation via 'cpabc_ipncheck' Parameter

Nov 21, 2025 Patched in 1.3.97 (1d)

CVE-2025-64261medium · 4.3Missing Authorization

Appointment Booking Calendar <= 1.3.95 - Missing Authorization

Nov 15, 2025 Patched in 1.3.96 (3d)

CVE-2025-46241medium · 6.5Cross-Site Request Forgery (CSRF)

Appointment Booking Calendar <= 1.3.92 - Cross-Site Request Forgery to SQL Injection

Apr 22, 2025 Patched in 1.3.93 (9d)

CVE-2025-46247medium · 5.3Missing Authorization

Appointment Booking Calendar <= 1.3.92 - Missing Authorization

Apr 22, 2025 Patched in 1.3.93 (9d)

CVE-2024-0856medium · 5.4Cross-Site Request Forgery (CSRF)

Appointment Booking Calendar <= 1.3.82 - Cross-Site Request Forgery

Feb 28, 2024 Patched in 1.3.83 (57d)

CVE-2022-43482medium · 4.3Missing Authorization

Appointment Booking Calendar <= 1.3.69 - Missing Authorization

Oct 30, 2022 Patched in 1.3.70 (450d)

CVE-2020-9371medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Appointment Booking Calendar <= 1.3.34 - Stored Cross-Site Scripting

Mar 4, 2020 Patched in 1.3.35 (1420d)

CVE-2020-9372high · 7.8Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Appointment Booking Calendar <= 1.3.34 - CSV Injection

Mar 4, 2020 Patched in 1.3.35 (1420d)

CVE-2019-14791medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Appointment Booking Calendar < 1.3.19 - Cross-Site Scripting

Jul 4, 2019 Patched in 1.3.19 (1664d)

WF-4d79df74-bb28-412b-bba1-9f8a40ae981d-appointment-booking-calendarcritical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Appointment Booking Calendar <= 1.2.24 - SQL Injection

Jan 27, 2016 Patched in 1.2.25 (2918d)

WF-13c9a71f-ec0a-4d4a-be08-787aa22a0fae-appointment-booking-calendarhigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Appointment Booking Calendar <= 1.2.24 - Cross-Site Scripting

Jan 26, 2016 Patched in 1.2.25 (2919d)

CVE-2016-10916critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Appointment Booking Calendar <= 1.1.23 - SQL Injection

Jan 25, 2016 Patched in 1.1.24 (2920d)

CVE-2015-7320medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Appointment Booking Calendar <= 1.1.7 - Multiple Reflected Cross-Site Scripting

Sep 26, 2015 Patched in 1.1.8 (3041d)

CVE-2015-7319critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Appointment Booking Calendar <= 1.1.7 - SQL Injection

Sep 26, 2015 Patched in 1.1.8 (3041d)

Code Analysis

Analyzed Mar 16, 2026

Appointment Booking Calendar Code Analysis

Dangerous Functions

Raw SQL Queries

51 prepared

Unescaped Output

724 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$data = unserialize($itemdetails->buffered_date);inc\cpabc_appointments_admin_int_bookings_list.inc.php:60

unserialize$params = unserialize($app_source->buffered_date);inc\cpabc_appointments_admin_int_bookings_list.inc.php:85

unserialize$params = unserialize($events[$i]->buffered_date);inc\cpabc_appointments_admin_int_bookings_list.inc.php:354

unserialize$params = unserialize($org_booking[0]->buffered_date);inc\cpabc_appointments_admin_int_edit_booking.inc.php:39

unserialize$params = unserialize($myrows[0]->buffered_date);inc\cpabc_apps_go.inc.php:436

unserialize$params = unserialize($myrows[0]->buffered_date);inc\cpabc_apps_go.inc.php:491

unserialize$data = unserialize($item->buffered_date);inc\cpabc_apps_go.inc.php:803

unserialize$params = unserialize($mycalendarrows[$f]->buffered_date);inc\cpabc_apps_on.inc.php:298

unserialize$params = unserialize($mycalendarrows[$f]->buffered_date);inc\cpabc_apps_on.inc.php:319

SQL Query Safety

67% prepared76 total queries

Output Escaping

95% escaped762 total outputs

Data Flows

9 unsanitized

Data Flow Analysis

15 flows9 with unsanitized paths

<cpabc_appointments_admin_int_calendar_list.inc> (inc\cpabc_appointments_admin_int_calendar_list.inc.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Appointment Booking Calendar Attack Surface

Entry Points4

Unprotected0

AJAX Handlers 1

authwp_ajax_cpabcal_feedbackinc\cp-feedback.php:3

Shortcodes 3

[CPABC_APPOINTMENT_CALENDAR] cpabc_appointments.php:185

[CPABC_EDIT_CALENDAR] cpabc_appointments.php:186

[CPABC_APPOINTMENT_LIST] cpabc_appointments.php:187

WordPress Hooks 19

actionelementor/widgets/widgets_registeredcontrollers\elementor\cp-elementor-widget.inc.php:11

actionelementor/elements/categories_registeredcontrollers\elementor\cp-elementor-widget.inc.php:13

actionelementor/editor/after_enqueue_stylescontrollers\elementor\cp-elementor-widget.inc.php:15

actionelementor/frontend/after_enqueue_stylescontrollers\elementor\cp-elementor-widget.inc.php:17

actioninitcpabc_appointments.php:139

actioninitcpabc_appointments.php:140

actionplugins_loadedcpabc_appointments.php:141

actionplugins_loadedcpabc_appointments.php:142

actionplugins_loadedcpabc_appointments.php:143

actionplugins_loadedcpabc_appointments.php:144

actionmedia_buttonscpabc_appointments.php:161

actionadmin_enqueue_scriptscpabc_appointments.php:162

actionadmin_menucpabc_appointments.php:163

actionenqueue_block_editor_assetscpabc_appointments.php:164

actionwp_loadedcpabc_appointments.php:165

filterrocket_exclude_jscpabc_appointments.php:234

actionadmin_bar_menuinc\banner.php:103

actionadmin_enqueue_scriptsinc\cp-feedback.php:2

actionadmin_footerinc\cp-feedback.php:18

Maintenance & Trust

Appointment Booking Calendar Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 5, 2026

PHP min version

Downloads473K

Community Trust

Rating84/100

Number of ratings92

Active installs1K

Alternatives

Appointment Booking Calendar Alternatives

Bookit — Booking & Appointment Calendar

bookit

Appointment booking and event calendar for WordPress. Services, staff, availability, shortcodes, and email notifications. Prevents double-booking.

5K 5 CVEs

Salon Booking System – Free Version

salon-booking-system

Appointment scheduling plugin for salons, spas, and wellness centers to streamline bookings and improve customer satisfaction.

3K 1 unpatched

Timetics – Appointment Booking Calendar & Scheduling System

timetics

Appointment booking system for Professionals — schedule, manage calendars, accept payments, send reminders & automate bookings easily.

2K 8 CVEs

Management & Booking Services – xCloud.pro

management-booking-services-xcloud-pro

Professional System for online self-booking appointment scheduling. This plugin will integrate The Booking Form from xcloud.

0 No CVEs

Online Scheduling and Appointment Booking System – Bookly

bookly-responsive-appointment-booking-tool

Appointment booking system for WordPress — schedule appointments, manage calendars, send reminders, take payments. Start booking today!

70K 8 CVEs

Developer Profile

Appointment Booking Calendar Developer Profile

codepeople

34 plugins · 89K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

964 days

View full developer profile

Detection Fingerprints

How We Detect Appointment Booking Calendar

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/appointment-booking-calendar/css/cpabc_appointments_admin.css/wp-content/plugins/appointment-booking-calendar/css/cpabc_appointments_customer.css/wp-content/plugins/appointment-booking-calendar/css/cpabc_appointments_styles.css/wp-content/plugins/appointment-booking-calendar/css/jquery-ui.css/wp-content/plugins/appointment-booking-calendar/css/jquery-ui.structure.css/wp-content/plugins/appointment-booking-calendar/css/jquery-ui.theme.css/wp-content/plugins/appointment-booking-calendar/js/cpabc_appointments_admin.js/wp-content/plugins/appointment-booking-calendar/js/cpabc_appointments_customer.js+4 more

Script Paths

/wp-content/plugins/appointment-booking-calendar/js/cpabc_appointments_main.js/wp-content/plugins/appointment-booking-calendar/js/cpabc_appointments_validation.js/wp-content/plugins/appointment-booking-calendar/js/cpabc_appointments_customer.js

Version Parameters

appointment-booking-calendar/css/cpabc_appointments_customer.css?ver=appointment-booking-calendar/css/cpabc_appointments_styles.css?ver=appointment-booking-calendar/js/cpabc_appointments_main.js?ver=

HTML / DOM Fingerprints

CSS Classes

cpabc-appointments-formcpabc-appointments-calendar-containercpabc-appointments-booking-formcpabc-appointments-field-labelcpabc-appointments-input-fieldcpabc-appointments-submit-buttoncpabc-appointment-calendar

Data Attributes

data-cpabc-calendar-iddata-cpabc-nonce

JS Globals

cpabc_appointments_global_varsCPABC_AJAX_URLCPABC_APPOINTMENTS_AJAX_URL

Shortcode Output

[CPABC_APPOINTMENTS[CPABC_APPOINTMENTS_CALENDAR

FAQ