Does Appointment Hour Booking – Booking Calendar have any unpatched vulnerabilities?

No. All known vulnerabilities in Appointment Hour Booking – Booking Calendar have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Appointment Hour Booking – Booking Calendar compatible with WordPress 6.9.4?

According to WordPress.org data, Appointment Hour Booking – Booking Calendar 1.5.70 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Appointment Hour Booking – Booking Calendar updated?

Appointment Hour Booking – Booking Calendar was last updated on Mar 9, 2026. Frequent updates are generally a positive security signal.

What is Appointment Hour Booking – Booking Calendar's security score?

Appointment Hour Booking – Booking Calendar has a WP-Safety security score of 92/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Appointment Hour Booking – Booking Calendar Security & Risk Analysis

Name: Appointment Hour Booking – Booking Calendar
Rating: 4.9 (518 reviews)

wordpress.org/plugins/appointment-hour-booking

Appointment Hour Booking is a plugin for creating booking forms for appointments with a start time and a defined duration within a schedule.

10K active installs v1.5.70 PHP + WP 3.0.5+ Updated Mar 9, 2026

appointmentappointment-bookingbookingcalendarschedule

A · Safe

CVEs total11

Unpatched0

Last CVEJan 27, 2026

Plugin page Download

Safety Verdict

Is Appointment Hour Booking – Booking Calendar Safe to Use in 2026?

Generally Safe

Score 92/100

Appointment Hour Booking – Booking Calendar has a strong security track record. Known vulnerabilities have been patched promptly.

11 known CVEsLast CVE: Jan 27, 2026Updated 24d ago

Risk Assessment

The 'appointment-hour-booking' plugin v1.5.70 presents a mixed security posture. On the positive side, the plugin demonstrates good practices with a high percentage of SQL queries using prepared statements and properly escaped output. It also has a relatively small attack surface with no unprotected entry points identified in the static analysis. Nonce and capability checks are present, indicating an effort to implement authorization mechanisms.

However, there are several areas of concern. The presence of 33 dangerous function calls, particularly 'unserialize,' is a significant red flag. This function is notoriously risky if handling untrusted input, as it can lead to object injection vulnerabilities. The taint analysis revealing 3 high-severity flows with unsanitized paths further amplifies this risk. While the current version has no unpatched CVEs, the plugin's history of 11 known vulnerabilities, including high and medium severity issues like Cross-site Scripting and Missing Authorization, suggests a recurring pattern of security weaknesses.

In conclusion, while the plugin incorporates some security best practices, the potential for 'unserialize' related vulnerabilities and the history of past security issues warrant caution. The significant number of high-severity taint flows with unsanitized paths is the most pressing concern stemming from the code analysis. It is crucial for users to remain vigilant and ensure they are using the latest patched versions, as past vulnerabilities indicate a history of security flaws.

Key Concerns

High-severity unsanitized taint flows
Numerous dangerous function calls ('unserialize')
Significant history of past vulnerabilities
High number of SQL queries without prepared statements

Vulnerabilities

Appointment Hour Booking – Booking Calendar Security Vulnerabilities

CVEs by Year

1 CVE in 2019

2019

2 CVEs in 2021

2021

5 CVEs in 2022

2022

1 CVE in 2023

2023

1 CVE in 2024

2024

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

High

Medium

11 total CVEs

CVE-2026-1083medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Appointment Hour Booking – Booking Calendar <= 1.5.60 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Min/Max Length' Field Configuration

Jan 27, 2026 Patched in 1.5.61 (1d)

CVE-2024-32720medium · 5.3Guessable CAPTCHA

Appointment Hour Booking <= 1.4.56 - Captcha Bypass

Apr 22, 2024 Patched in 1.4.57 (8d)

CVE-2023-45649medium · 5.3Missing Authorization

Appointment Hour Booking <= 1.4.23 - Missing Authorization to Double Booking

Oct 11, 2023 Patched in 1.4.24 (311d)

CVE-2022-4035high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Appointment Hour Booking <= 1.3.72 - Unauthenticated iFrame Injection via Appointment Form

Nov 29, 2022 Patched in 1.3.73 (420d)

CVE-2022-4034medium · 5.8Improper Neutralization of Formula Elements in a CSV File

Appointment Hour Booking <= 1.3.72 - CSV Injection

Nov 29, 2022 Patched in 1.3.73 (420d)

CVE-2022-4036medium · 5.3Guessable CAPTCHA

Appointment Hour Booking <= 1.3.72 - CAPTCHA Bypass

Nov 29, 2022 Patched in 1.3.73 (420d)

CVE-2022-41692medium · 4.3Missing Authorization

Appointment Hour Booking <= 1.3.71 - Missing Authorization

Oct 30, 2022 Patched in 1.3.72 (450d)

CVE-2022-1710medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Appointment Hour Booking <= 1.3.55 - Authenticated Stored Cross-Site Scripting

May 23, 2022 Patched in 1.3.56 (610d)

CVE-2021-24712medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Appointment Hour Booking <= 1.3.16 - Cross-Site Scripting

Sep 10, 2021 Patched in 1.3.17 (865d)

CVE-2021-24673medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Appointment Hour Booking <= 1.3.15 Admin+ Stored Cross-Site Scripting

Sep 6, 2021 Patched in 1.3.16 (869d)

CVE-2019-13505medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Appointment Hour Booking – WordPress Booking Plugin <= 1.1.45 - Cross-Site Scripting

Jul 9, 2019 Patched in 1.1.46 (1659d)

Code Analysis

Analyzed Mar 16, 2026

Appointment Hour Booking – Booking Calendar Code Analysis

Dangerous Functions

Raw SQL Queries

84 prepared

Unescaped Output

1274 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$data = unserialize($item->posted_data);addons\dashboard-box.addon.php:178

unserialize$data = unserialize($item->posted_data);addons\icalexport.addon.php:336

unserializeif ( !is_admin() || (!$current_user_access && !@in_array($current_user->ID, unserialize($this->get_ocp-admin-int-add-booking.inc.php:10

unserializeif ( !is_admin() || (!$current_user_access && !@in_array($current_user->ID, unserialize($this->get_ocp-admin-int-block-times.inc.php:10

unserializeif ( $current_user_access || @in_array($current_user->ID, unserialize( $item->cp_user_access )) )cp-admin-int-block-times.inc.php:121

unserialize$options = !empty($item->cp_user_access) ? unserialize($item->cp_user_access) : array();cp-admin-int-list.inc.php:193

unserializeif ( !is_admin() || (!$current_user_access && !@in_array($current_user->ID, unserialize($this->get_ocp-admin-int-message-list.inc.php:10

unserialize$params = unserialize($myrows[0]->posted_data);cp-admin-int-message-list.inc.php:62

unserializeif ($current_user_access || @in_array($current_user->ID, unserialize($this->get_option("cp_user_accecp-admin-int-message-list.inc.php:270

unserialize$posted_data = unserialize($events[$i]->posted_data);cp-admin-int-message-list.inc.php:372

unserializeif ( !is_admin() || (!$current_user_access && !@in_array($current_user->ID, unserialize($this->get_ocp-admin-int-report.inc.php:13

unserialize$params = unserialize($item->posted_data);cp-admin-int-report.inc.php:86

unserialize$options = unserialize($this->get_option('cp_user_access', serialize(array())));cp-admin-int-report.inc.php:215

unserializeif ( !is_admin() || (!$current_user_access && !@in_array($current_user->ID, unserialize($this->get_ocp-admin-int-schedule.inc.php:10

unserializeif ($current_user_access || @in_array($current_user->ID, unserialize($this->get_option("cp_user_accecp-admin-int-schedule.inc.php:101

unserializeif ( !is_admin() || (!$current_user_access && !@in_array($current_user->ID, unserialize($this->get_ocp-admin-int.inc.php:8

unserialize$options = unserialize($this->get_option('cp_user_access', serialize(array())));cp-admin-int.inc.php:519

unserializeif ( !is_admin() || (!$current_user_access && !@in_array($current_user->ID, unserialize($this->get_ocp-full-stats.inc.php:12

unserialize$data = unserialize($item->posted_data);cp-full-stats.inc.php:38

unserialize$posted_data = unserialize($events[0]->posted_data);cp-main-class.inc.php:254

unserialize$data = unserialize($item->posted_data);cp-main-class.inc.php:380

unserialize$useraccess = unserialize($item->cp_user_access);cp-main-class.inc.php:932

unserialize$result = ($current_user_access || @in_array($current_user->ID, unserialize($this->get_option("cp_uscp-main-class.inc.php:1367

unserialize$data = unserialize($myrows[$i]->posted_data);cp-main-class.inc.php:1413

unserialize$latestdata = unserialize($latestitem->posted_data);cp-main-class.inc.php:1770

unserialize$latestdata = unserialize($item->posted_data);cp-main-class.inc.php:1820

unserialize$params = unserialize($myrows[0]->posted_data);cp-main-class.inc.php:2016

unserializeif ( current_user_can('manage_options') || @in_array($current_user->ID, unserialize($this->get_optiocp-main-class.inc.php:2244

unserialize$data = unserialize($item->posted_data);cp-main-class.inc.php:2598

unserialize$data = unserialize($item->posted_data);cp-main-class.inc.php:2709

unserialize$data = unserialize($item->posted_data);cp-main-class.inc.php:2986

unserializeif ( !is_admin() || (!$current_user_access && !@in_array($current_user->ID, unserialize($this->get_ocsseditor.inc.php:13

unserializeif ($current_user_access || @in_array($current_user->ID, unserialize($this->get_option("cp_user_accecsseditor.inc.php:175

SQL Query Safety

76% prepared110 total queries

Output Escaping

97% escaped1318 total outputs

Data Flows

9 unsanitized

Data Flow Analysis

16 flows9 with unsanitized paths

pp_iCalExport_update_status (addons\icalexport.addon.php:294)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Appointment Hour Booking – Booking Calendar Attack Surface

Entry Points2

Unprotected0

AJAX Handlers 1

authwp_ajax_cpapphb_feedbackcp-feedback.php:6

Shortcodes 1

[CP_APP_HOUR_BOOKING_LIST] app-booking-plugin.php:143

WordPress Hooks 35

actioncpappb_cache_checkaddons\cache.addon.php:35

actioncpappb_cache_storeaddons\cache.addon.php:37

actioncpappb_cache_cleanaddons\cache.addon.php:39

actioncpappb_update_statusaddons\cache.addon.php:41

actioncpappb_process_dataaddons\cache.addon.php:42

actioncpappb_item_deletedaddons\cache.addon.php:43

filtercpappb_the_customjsaddons\calendarless-interface.addon.php:152

filtercpappb_the_formaddons\calendarless-interface.addon.php:153

filterahb_csslayoutaddons\calendarless-interface.addon.php:154

actionwp_dashboard_setupaddons\dashboard-box.addon.php:108

actioninitaddons\icalexport.addon.php:246

filtercpappb_email_attachmentsaddons\icalexport.addon.php:248

actionmedia_buttonsapp-booking-plugin.php:128

actioninitapp-booking-plugin.php:129

actionwp_loadedapp-booking-plugin.php:130

actionplugins_loadedapp-booking-plugin.php:131

actionadmin_enqueue_scriptsapp-booking-plugin.php:135

actionadmin_menuapp-booking-plugin.php:137

actionenqueue_block_editor_assetsapp-booking-plugin.php:138

filterautoptimize_filter_js_excludeapp-booking-plugin.php:173

filterlitespeed_cache_optimize_js_excludesapp-booking-plugin.php:237

filteroption_sbp_settingsapp-booking-plugin.php:298

actioninitapp-booking-plugin.php:317

filterget_post_metadataapp-booking-plugin.php:318

filtercontent_save_preapp-booking-plugin.php:329

filtersgo_javascript_combine_excludeapp-booking-plugin.php:346

filtersgo_js_minify_excludeapp-booking-plugin.php:355

actionadmin_bar_menubanner.php:107

actionelementor/widgets/widgets_registeredcontrollers\elementor\cp-elementor-widget.inc.php:14

actionelementor/elements/categories_registeredcontrollers\elementor\cp-elementor-widget.inc.php:16

actionelementor/editor/after_enqueue_stylescontrollers\elementor\cp-elementor-widget.inc.php:18

actionelementor/frontend/after_enqueue_stylescontrollers\elementor\cp-elementor-widget.inc.php:20

actionadmin_enqueue_scriptscp-feedback.php:5

actionadmin_footercp-feedback.php:21

filtertrp_allow_tp_to_runcp-main-class.inc.php:1204

Maintenance & Trust

Appointment Hour Booking – Booking Calendar Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 9, 2026

PHP min version

Downloads3.5M

Community Trust

Rating98/100

Number of ratings518

Active installs10K

Alternatives

Appointment Hour Booking – Booking Calendar Alternatives

skedme.io

skedme-io

Plugin skedme.io is an online booking tool for customers of service companies such as car service centers, beauty salons, hairdressers`, etc.

0 No CVEs

Online Scheduling and Appointment Booking System – Bookly

bookly-responsive-appointment-booking-tool

Appointment booking system for WordPress — schedule appointments, manage calendars, send reminders, take payments. Start booking today!

70K 8 CVEs

Bookit — Booking & Appointment Calendar

bookit

Appointment booking and event calendar for WordPress. Services, staff, availability, shortcodes, and email notifications. Prevents double-booking.

5K 5 CVEs

Booking calendar, Appointment Booking System

booking-calendar

Booking calendar plugin is an awesome tool for creating appointment booking calendars and Scheduling systems in a few minutes.

4K 17 CVEs

Easy Appointment Booking & Scheduling System – Webba Booking Calendar

webba-booking-lite

Free Appointment Booking Plugin 📅 Unlimited appointments, booking management, calendar sync, notifications, 5* support = powerful booking system!

3K 7 CVEs

Developer Profile

Appointment Hour Booking – Booking Calendar Developer Profile

codepeople

34 plugins · 89K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

964 days

View full developer profile

Detection Fingerprints

How We Detect Appointment Hour Booking – Booking Calendar

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/appointment-hour-booking/css/styles.css/wp-content/plugins/appointment-hour-booking/css/styles.css.map/wp-content/plugins/appointment-hour-booking/css/admin.css/wp-content/plugins/appointment-hour-booking/css/admin.css.map/wp-content/plugins/appointment-hour-booking/css/materialize.min.css/wp-content/plugins/appointment-hour-booking/css/materialize.min.css.map/wp-content/plugins/appointment-hour-booking/css/bootstrap-datetimepicker.min.css/wp-content/plugins/appointment-hour-booking/css/bootstrap-datetimepicker.min.css.map+23 more

Script Paths

/wp-content/plugins/appointment-hour-booking/js/booking.js/wp-content/plugins/appointment-hour-booking/js/cp_apphourbooking_admin.js/wp-content/plugins/appointment-hour-booking/js/materialize.min.js/wp-content/plugins/appointment-hour-booking/js/bootstrap-datetimepicker.min.js/wp-content/plugins/appointment-hour-booking/js/jquery-ui.min.js/wp-content/plugins/appointment-hour-booking/js/flatpickr.min.js+2 more

Version Parameters

appointment-hour-booking/css/styles.css?ver=appointment-hour-booking/css/admin.css?ver=appointment-hour-booking/css/materialize.min.css?ver=appointment-hour-booking/css/bootstrap-datetimepicker.min.css?ver=appointment-hour-booking/css/jquery-ui.css?ver=appointment-hour-booking/css/cp-appb-admin-styles.css?ver=appointment-hour-booking/css/flatpickr.min.css?ver=appointment-hour-booking/css/cp-appb-frontend-styles.css?ver=appointment-hour-booking/js/booking.js?ver=appointment-hour-booking/js/cp_apphourbooking_admin.js?ver=appointment-hour-booking/js/materialize.min.js?ver=appointment-hour-booking/js/bootstrap-datetimepicker.min.js?ver=appointment-hour-booking/js/jquery-ui.min.js?ver=appointment-hour-booking/js/flatpickr.min.js?ver=appointment-hour-booking/js/cp-appb-frontend-script.js?ver=appointment-hour-booking/js/gutenberg-editor.js?ver=

HTML / DOM Fingerprints

CSS Classes

cp_appb_formcp_appb_form_containercp_appb_appointment_formcp_appb_appointment_datecp_appb_appointment_timecp_appb_appointment_servicecp_appb_appointment_durationcp_appb_appointment_submit+7 more

HTML Comments

+2 more

Data Attributes

data-form-iddata-instance-iddata-cp-appb-form-id

JS Globals

CP_AHB_FORM_DATACP_AHB_AJAX_URLCP_AHB_AJAX_NONCECP_AHB_CALENDAR_OPTIONS

Shortcode Output

[CP_APP_HOUR_BOOKING][CP_APP_HOUR_BOOKING_LIST]

FAQ

Appointment Hour Booking – Booking Calendar Security & Risk Analysis

Is Appointment Hour Booking – Booking Calendar Safe to Use in 2026?

Generally Safe

Key Concerns

Appointment Hour Booking – Booking Calendar Security Vulnerabilities

CVEs by Year

Severity Breakdown

Appointment Hour Booking – Booking Calendar Code Analysis

Dangerous Functions Found

SQL Query Safety

Output Escaping

Data Flow Analysis

Appointment Hour Booking – Booking Calendar Attack Surface

AJAX Handlers 1

Shortcodes 1

Appointment Hour Booking – Booking Calendar Maintenance & Trust

Maintenance Signals

Community Trust

Appointment Hour Booking – Booking Calendar Alternatives

skedme.io

Online Scheduling and Appointment Booking System – Bookly

Bookit — Booking & Appointment Calendar

Booking calendar, Appointment Booking System

Easy Appointment Booking & Scheduling System – Webba Booking Calendar

Appointment Hour Booking – Booking Calendar Developer Profile

How We Detect Appointment Hour Booking – Booking Calendar

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Appointment Hour Booking – Booking Calendar