WP-Safety

Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar Security & Risk Analysis

wordpress.org/plugins/booking-manager

Showing events listing from .ics feeds or sync bookings from different sources to your website

5K active installs v2.1.18 PHP 5.6+ WP 4.0+ Updated Dec 3, 2025
booking-calendareventsgoogle-calendaricalendarics
93
A · Safe
CVEs total4
Unpatched0
Last CVENov 4, 2025
Plugin page Download
Safety Verdict

Is Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar Safe to Use in 2026?

Generally Safe

Score 93/100

Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Nov 4, 2025Updated 4mo ago
Risk Assessment

The "booking-manager" plugin v2.1.18 exhibits a mixed security posture. While the static analysis shows a relatively contained attack surface with no identified unprotected entry points and a reasonable percentage of SQL queries using prepared statements, concerns arise from the presence of the `unserialize` function. This function is a common vector for remote code execution if used with untrusted input, and its presence warrants careful review of its usage. The taint analysis, though limited in scope, did not reveal critical or high-severity unsanitized paths, which is a positive sign.

The plugin's vulnerability history is a significant concern. With a total of four known CVEs, including one high-severity vulnerability and three medium-severity ones, it indicates a past pattern of security weaknesses. The types of past vulnerabilities (XSS, Missing Authorization, SQL Injection, SSRF) are common and can have severe impacts if exploited. While there are currently no unpatched CVEs, the historical pattern suggests a higher likelihood of future vulnerabilities if development practices do not significantly improve. The most recent vulnerability being in late 2025 is also notable, implying a recent discovery or patching.

In conclusion, "booking-manager" v2.1.18 has strengths in its limited attack surface and some secure coding practices like prepared statements. However, the presence of `unserialize` and a history of multiple vulnerabilities, including high and medium severity, necessitate a cautious approach. The plugin developers need to ensure robust input sanitization and authorization checks are consistently applied across all features, especially around the usage of `unserialize`, and maintain a proactive security patching strategy.

Key Concerns

  • Presence of dangerous function: unserialize
  • Significant number of known CVEs historically
  • History of high-severity vulnerabilities
  • History of medium-severity vulnerabilities
  • Taint analysis shows unsanitized paths
  • Only 64% of outputs properly escaped
Vulnerabilities
4

Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar Security Vulnerabilities

CVEs by Year

2 CVEs in 2023
2023
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

CVE-2025-64275medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Booking Manager <= 2.1.17 - Authenticated (Contributor+) Stored Cross-Site Scripting

Nov 4, 2025 Patched in 2.1.18 (14d)
CVE-2025-10124medium · 5.3Missing Authorization

Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar <= 2.1.14 - Authenticated (Contributor+) Booking Deletion

Sep 19, 2025 Patched in 2.1.15 (28d)
CVE-2023-50840high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Booking Manager <= 2.1.5 - Authenticated(Contributor+) SQL Injection via Shortcode

Dec 21, 2023 Patched in 2.1.6 (33d)
CVE-2023-1977medium · 6.3Server-Side Request Forgery (SSRF)

Booking Manager <= 2.0.28 - Authenticated (Subscriber+) Server-Side Request Forgery

Apr 26, 2023 Patched in 2.0.29 (272d)
Code Analysis
Analyzed Mar 16, 2026

Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar Code Analysis

Dangerous Functions
1
Raw SQL Queries
7
16 prepared
Unescaped Output
269
482 escaped
Nonce Checks
10
Capability Checks
4
File Operations
6
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserializereturn unserialize( strtolower( serialize( $array ) ) );core\wpbm-functions.php:306

Bundled Libraries

TinyMCE

SQL Query Safety

70% prepared23 total queries

Output Escaping

64% escaped751 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

6 flows4 with unsanitized paths
wpbm_make_export_ics_feeds (core\wpbc\wpbm-bc-export.php:37)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar Attack Surface

Entry Points3
Unprotected0

Shortcodes 3

[booking-manager-import] core\wpbm-shortcodes.php:49
[booking-manager-listing] core\wpbm-shortcodes.php:85
[booking-manager-delete] core\wpbm-shortcodes.php:151
WordPress Hooks 63
actionwpbm_after_settings_contentcore\admin\api-settings.php:37
filterwpbm_settings_validate_fields_before_savingcore\admin\api-settings.php:683
actionwpbm_menu_createdcore\admin\exmpl-page-email-download_notification.php:900
filterwpbm_email_api_is_allow_send_copycore\admin\exmpl-page-email-download_notification.php:936
actionwpbm_menu_createdcore\admin\exmpl-page-email-link-user.php:880
filterwpbm_email_api_is_allow_send_copycore\admin\exmpl-page-email-link-user.php:916
actionwpbm_menu_createdcore\admin\page-root-ics.php:371
actionwpbm_show_debugcore\admin\page-root-ics.php:459
actionwpbm_menu_createdcore\admin\page-settings-listing.php:528
actionwpbm_menu_createdcore\admin\page-settings.php:285
actioninitcore\admin\wpbm-toolbar-tiny.php:46
filtermce_external_pluginscore\admin\wpbm-toolbar-tiny.php:64
filtermce_buttonscore\admin\wpbm-toolbar-tiny.php:67
actionedit_page_formcore\admin\wpbm-toolbar-tiny.php:73
actionadmin_headcore\admin\wpbm-toolbar-tiny.php:74
actionadmin_footercore\admin\wpbm-toolbar-tiny.php:78
actionadmin_footercore\admin\wpbm-toolbar-tiny.php:107
actionadmin_footercore\admin\wpbm-toolbar-tiny.php:108
filterupgrader_post_installcore\any\activation.php:46
filterplugin_action_linkscore\any\activation.php:49
filterplugin_row_metacore\any\activation.php:51
actionplugins_loadedcore\any\activation.php:185
filterphpmailer_initcore\any\api-emails.php:39
actionwp_mail_failedcore\any\api-emails.php:41
actionadmin_menucore\any\class-admin-menu.php:69
actionadmin_menucore\any\class-admin-menu.php:71
actionwpbm_define_nav_tabscore\any\class-admin-page-structure.php:38
actionwpbm_page_structure_showcore\any\class-admin-page-structure.php:40
actionwpbm_after_settings_contentcore\any\class-admin-settings-api.php:101
actionadmin_enqueue_scriptscore\any\class-css-js.php:20
actionwp_enqueue_scriptscore\any\class-css-js.php:21
actionwpbm_load_js_on_admin_pagecore\any\class-css-js.php:23
actionwpbm_load_css_on_admin_pagecore\any\class-css-js.php:24
actionwpbm_enqueue_js_filescore\any\wpbm-class-dismiss.php:61
actionwpbm_enqueue_css_filescore\any\wpbm-class-dismiss.php:62
actionwpbm_hook_wpbm_page_headercore\any\wpbm-class-notices.php:22
actionwpbm_settings_after_headercore\any\wpbm-class-notices.php:23
actiontemplate_redirectcore\wpbc\wpbm-bc-export.php:191
filterwpbc_get_insert_sql_for_datescore\wpbc\wpbm-bc-import.php:467
actionwpbm_ics_import_startcore\wpbc\wpbm-bc-import.php:544
filterwpbc_get_insert_sql_for_datescore\wpbc\wpbm-bc-import.php:923
filterwpbc_is_reupdate_dates_to_child_resourcescore\wpbc\wpbm-bc-import.php:926
filterlocalecore\wpbm-ajax.php:60
actionadmin_initcore\wpbm-ajax.php:132
actionwpbm_admin_show_top_noticecore\wpbm-debug.php:253
filterwpbm_email_api_get_subject_beforecore\wpbm-emails.php:76
filterwpbm_email_api_get_content_beforecore\wpbm-emails.php:101
filterwpbm_email_api_get_content_aftercore\wpbm-emails.php:117
filterwpbm_email_api_get_headers_aftercore\wpbm-emails.php:161
filterwpbm_email_api_is_allow_sendcore\wpbm-emails.php:178
filterwpbm_email_api_is_allow_send_copycore\wpbm-emails.php:179
actionwpbm_email_sending_errorcore\wpbm-emails.php:216
filterwpbm_is_load_script_on_this_pagecore\wpbm-js.php:290
actionplugins_loadedcore\wpbm-translation.php:164
filterload_textdomain_mofilecore\wpbm-translation.php:183
filterplugin_localecore\wpbm-translation.php:234
actionadmin_footercore\wpbm-upload.php:58
action_admin_menucore\wpbm.php:57
actionadmin_footercore\wpbm.php:58
actionwp_enqueue_scriptscore\wpbm.php:62
actionwp_enqueue_scriptscore\wpbm.php:63
actionwp_footercore\wpbm.php:64
actionadmin_noticescore\wpbm.php:310
Maintenance & Trust

Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 3, 2025
PHP min version5.6
Downloads168K

Community Trust

Rating80/100
Number of ratings2
Active installs5K
Alternatives

Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar Alternatives

ICS Calendar

ICS Calendar

ics-calendar

A
99

Add the calendar you already use to Any WordPress site! Google Calendar, Microsoft 365, iCloud and more… no API keys or complicated setup required.

10K 1 CVE
Hydrogen Calendar Embeds

Hydrogen Calendar Embeds

hydrogen-calendar-embeds

A
100

The free, simple, lightweight way to embed beautiful, fully customizable ICS calendars into your WordPress site.

500 No CVEs
Event – Add to Calendar

Event – Add to Calendar

evtcal-add-to-calendar

A
100

Add customizable "Add to Calendar" buttons to your WordPress site with support for Google Calendar, Outlook, Apple Calendar, and more.

20 No CVEs
Booking Calendar

Booking Calendar

booking

B
82

Original "Booking Calendar" plugin. Easily manage full-day bookings, time-slot appointments, or events in our all-in-one, outstanding booking system.

50K 28 CVEs
Simple Calendar – Google Calendar Plugin

Simple Calendar – Google Calendar Plugin

google-calendar-events

A
95

Add Google Calendar events to your WordPress site in minutes. Beautiful calendar displays. Mobile responsive.

50K 7 CVEs
Developer Profile

Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar Developer Profile

wpdevelop

25 plugins · 59K total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
437 days
View full developer profile
Detection Fingerprints

How We Detect Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/booking-manager/assets/img/icon-16x16.png/wp-content/plugins/booking-manager/js/wpbm_tinymce_btn.js/wp-content/plugins/booking-manager/assets/libs/bootstrap/js/bootstrap.js/wp-content/plugins/booking-manager/js/wpbm_bs_no_conflict.js/wp-content/plugins/booking-manager/assets/css/wpbm-admin-style.css/wp-content/plugins/booking-manager/assets/css/wpbm-common-style.css/wp-content/plugins/booking-manager/assets/css/wpbm-admin-style.min.css/wp-content/plugins/booking-manager/assets/css/wpbm-common-style.min.css
Script Paths
/wp-content/plugins/booking-manager/js/wpbm_tinymce_btn.js
Version Parameters
booking-manager/assets/libs/bootstrap/js/bootstrap.js?ver=booking-manager/js/wpbm_bs_no_conflict.js?ver=booking-manager/assets/css/wpbm-admin-style.css?ver=booking-manager/assets/css/wpbm-common-style.css?ver=booking-manager/assets/css/wpbm-admin-style.min.css?ver=booking-manager/assets/css/wpbm-common-style.min.css?ver=

HTML / DOM Fingerprints

CSS Classes
wpbm_insert_shortcode_button
HTML Comments
FixIn: 2025-04-04.FixIn: 2.0.8.2 - compatibility with Gutenberg 4.1- 4.3 ( or newer ) at edit post page.
Data Attributes
data-target="#wpbm_tiny_modal"data-toggle="modal"
JS Globals
wpbm_init_tinymce_buttonswpbm_tiny_btn_clickwpbm_plugin_url
FAQ

Frequently Asked Questions about Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar