WP-Safety

Beds24 Online Booking Security & Risk Analysis

wordpress.org/plugins/beds24-online-booking

Accept commission free online bookings from your Wordpress website. Suitable for hotels, B&B's, holiday rentals, vacation rentals, apartments …

2K active installs v2.0.30 PHP + WP 2.0.2+ Updated May 2, 2025
booking-enginebooking-systemibeonline-booking-engineonline-booking-system
94
A · Safe
CVEs total7
Unpatched0
Last CVEMay 7, 2025
Plugin page Download
Safety Verdict

Is Beds24 Online Booking Safe to Use in 2026?

Generally Safe

Score 94/100

Beds24 Online Booking has a strong security track record. Known vulnerabilities have been patched promptly.

7 known CVEsLast CVE: May 7, 2025Updated 11mo ago
Risk Assessment

The "beds24-online-booking" plugin version 2.0.30 exhibits a mixed security posture. While the static analysis shows no direct vulnerabilities like SQL injection or untrusted paths, and all identified entry points appear to have authorization checks, several concerning signals are present. The plugin has a history of 7 known CVEs, with a significant number of medium-severity vulnerabilities related to Cross-site Scripting (XSS) and PHP Remote File Inclusion (RFI). The fact that the last vulnerability was reported very recently (May 2025) and there are currently no unpatched vulnerabilities is a positive sign, suggesting the vendor actively addresses security issues. However, the code analysis reveals potential weaknesses: 69% of output is properly escaped, leaving a substantial portion unescaped, which could lead to XSS if malicious input is not handled correctly. The absence of nonce checks across all entry points is a major concern, as it leaves the plugin vulnerable to Cross-Site Request Forgery (CSRF) attacks. Furthermore, the plugin performs file operations and external HTTP requests, which, without proper sanitization and validation, can introduce security risks.

Key Concerns

  • No nonce checks found
  • Substantial unescaped output (31%)
  • History of 7 CVEs, including RFI and XSS
  • File operation detected
  • External HTTP request detected
  • No capability checks found
Vulnerabilities
7

Beds24 Online Booking Security Vulnerabilities

CVEs by Year

4 CVEs in 2024
2024
3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
6

7 total CVEs

CVE-2025-47489medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Beds24 Online Booking <= 2.0.29 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 7, 2025 Patched in 2.0.30 (7d)
CVE-2025-32155high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Beds24 Online Booking <= 2.0.28 - Authenticated (Contributor+) Local File Inclusion

Apr 4, 2025 Patched in 2.0.29 (12d)
CVE-2025-31851medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Beds24 Online Booking <= 2.0.27 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 1, 2025 Patched in 2.0.28 (10d)
CVE-2024-10177medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Beds24 Online Booking <= 2.0.27 - Authenticated (Contributor+) Stored Cross-Site Scripting via beds24-link Shortcode

Nov 20, 2024 Patched in 2.0.28 (7d)
CVE-2024-51664medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Beds24 Online Booking <= 2.0.25 - Authenticated (Administrator+) Stored Cross-Site Scripting

Nov 1, 2024 Patched in 2.0.26 (6d)
CVE-2024-24717medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Beds24 Online Booking <= 2.0.23 - Authenticated(Administrator+) Stored Cross-Site Scripting

Jan 31, 2024 Patched in 2.0.24 (3d)
CVE-2023-52228medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Beds24 Online Booking <= 2.0.24 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 8, 2024 Patched in 2.0.25 (17d)
Code Analysis
Analyzed Mar 16, 2026

Beds24 Online Booking Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
89
202 escaped
Nonce Checks
0
Capability Checks
0
File Operations
1
External Requests
1
Bundled Libraries
0

Output Escaping

69% escaped291 total outputs
Attack Surface

Beds24 Online Booking Attack Surface

Entry Points10
Unprotected0

Shortcodes 10

[beds24] beds24-online-booking.php:74
[beds24-link] beds24-online-booking.php:75
[beds24-button] beds24-online-booking.php:76
[beds24-box] beds24-online-booking.php:77
[beds24-strip] beds24-online-booking.php:78
[beds24-searchbox] beds24-online-booking.php:79
[beds24-searchresult] beds24-online-booking.php:80
[beds24-embed] beds24-online-booking.php:81
[beds24-landing] beds24-online-booking.php:82
[bookwidget] inc\shortcodes\b24_jquery_widget_shortcode.php:51
WordPress Hooks 10
filterwidget_textbeds24-online-booking.php:14
filterquery_varsbeds24-online-booking.php:15
actionactivated_pluginbeds24-online-booking.php:34
actionwp_enqueue_scriptsbeds24-online-booking.php:72
actionadmin_enqueue_scriptsbeds24-online-booking.php:85
actionadmin_initinc\plugin-options\beds24-options-page.php:3
actionadmin_menuinc\plugin-options\beds24-options-page.php:13
actionvc_before_initinc\shortcodes\b24_jquery_widget_shortcode.php:55
filterno_texturize_shortcodesinc\shortcodes\b24_jquery_widget_shortcode.php:963
actionwidgets_initinc\widgets\beds24_widget.php:49
Maintenance & Trust

Beds24 Online Booking Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedMay 2, 2025
PHP min version
Downloads99K

Community Trust

Rating86/100
Number of ratings6
Active installs2K
Alternatives

Beds24 Online Booking Alternatives

MyBooking Reservation Engine

MyBooking Reservation Engine

mybooking-reservation-engine

A
100

Mybooking Reservation Engine WordPress plugin.

100 No CVEs
Sirvoy Booking Engine

Sirvoy Booking Engine

sirvoy-booking-engine

A
100

Sirvoy booking engine - Non-Commission Direct Bookings from Your Website. Sirvoy can also help you to receive bookings from channels, and much more.

1K No CVEs
Online Buchungssystem – edoobox

Online Buchungssystem – edoobox

booking-system-edoobox

A
100

Simplify event and course management with Edoobox, an intuitive online booking system.

200 No CVEs
bookingkit

bookingkit

bookingkit

A
85

bookingkit allows you to easily make your events and tours bookable - instantly and directly on your website.

80 No CVEs
Bookwize Integrated Cinnamon

Bookwize Integrated Cinnamon

bookwize-integrated-cinnamon

A
85

Integrate Bookwize Hotel Booking Engine in your WordPress website and let visitors check availability and rates and make a booking directly from your &hellip;

10 No CVEs
Developer Profile

Beds24 Online Booking Developer Profile

markkinchin

1 plugin · 2K total installs

90
trust score
Avg Security Score
94/100
Avg Patch Time
9 days
View full developer profile
Detection Fingerprints

How We Detect Beds24 Online Booking

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/beds24-online-booking/theme-files/beds24.css/wp-content/plugins/beds24-online-booking/js/beds24-datepicker.js/wp-content/plugins/beds24-online-booking/css/beds24-admin.css/wp-content/plugins/beds24-online-booking/js/beds24-admin.js
Script Paths
//media.xmlcal.com/widget/1.00/js/bookWidget.min.js
Version Parameters
beds24-online-booking/theme-files/beds24.css?ver=beds24-online-booking/js/beds24-datepicker.js?ver=beds24-online-booking/css/beds24-admin.css?ver=beds24-online-booking/js/beds24-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
beds24_bookbutton
Data Attributes
data-beds24-owneriddata-beds24-propiddata-beds24-roomiddata-beds24-advancedaysdata-beds24-noselectiondata-beds24-numdisplayed+23 more
JS Globals
WPURLS
Shortcode Output
[beds24][beds24-link][beds24-button][beds24-box]
FAQ

Frequently Asked Questions about Beds24 Online Booking