WP-Safety

Booking Package Security & Risk Analysis

wordpress.org/plugins/booking-package

Booking Package is the simplest solution for integrating an online appointment booking calendar system and event calendar into your WordPress website.

10K active installs v1.7.04 PHP 7.2+ WP 3.5+ Updated Feb 24, 2026
appointmentbookingbooking-calendarreservation%e4%ba%88%e7%b4%84%e3%82%b7%e3%82%b9%e3%83%86%e3%83%a0
92
A · Safe
CVEs total6
Unpatched0
Last CVEFeb 18, 2025
Plugin page Download
Safety Verdict

Is Booking Package Safe to Use in 2026?

Generally Safe

Score 92/100

Booking Package has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Feb 18, 2025Updated 1mo ago
Risk Assessment

The booking-package plugin v1.7.05 exhibits a mixed security posture. While it demonstrates some good security practices, such as 100% of SQL queries using prepared statements and a significant number of nonce and capability checks, there are notable areas of concern. The static analysis reveals a low percentage of properly escaped output (39%), indicating a potential for Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is not adequately sanitized before being rendered. Furthermore, the taint analysis identified one flow with an unsanitized path, which, though not classified as critical or high severity in this analysis, warrants attention as it represents a potential entry point for malicious input. The plugin's history of 6 known CVEs, including past critical and high severity issues like XSS, authorization bypass, and information exposure, is a significant red flag. This history suggests a recurring pattern of security weaknesses. Although there are currently no unpatched CVEs, the past vulnerabilities indicate a need for ongoing vigilance and rigorous security testing. The overall risk is moderate, primarily due to the high number of past vulnerabilities and the significant proportion of unescaped output, which could be exploited despite the absence of critical findings in the current static analysis.

Key Concerns

  • High percentage of unescaped output
  • Taint analysis found unsanitized path
  • History of 6 CVEs, including critical/high
Vulnerabilities
6

Booking Package Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2022
2022
2 CVEs in 2023
2023
1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
High
1
Medium
4

6 total CVEs

CVE-2024-13508medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Booking Package <= 1.6.72 - Reflected Cross-Site Scripting via Locale Parameter

Feb 18, 2025 Patched in 1.6.73 (1d)
CVE-2024-30516medium · 5.3Use of Less Trusted Source

Booking Package <= 1.6.27 - Unauthenticated Price Manipulation

Mar 28, 2024 Patched in 1.6.29 (7d)
CVE-2023-39918medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Booking Package <= 1.6.01 - Reflected Cross-Site Scripting via 'mode'

Aug 7, 2023 Patched in 1.6.02 (169d)
CVE-2023-37389critical · 9.8Authorization Bypass Through User-Controlled Key

Booking Package <= 1.5.98 - Authorization Bypass to Arbitrary Password Reset

Jul 5, 2023 Patched in 1.5.99 (202d)
CVE-2022-0709high · 7.5Exposure of Sensitive Information to an Unauthorized Actor

Booking Package <= 1.5.28 - Unauthenticated Sensitive Data Disclosure

Mar 9, 2022 Patched in 1.5.29 (685d)
CVE-2021-20840medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Booking Package <= 1.5.10 - Reflected Cross-Site Scripting

Nov 10, 2021 Patched in 1.5.11 (804d)
Code Analysis
Analyzed Mar 16, 2026

Booking Package Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
193
125 escaped
Nonce Checks
8
Capability Checks
13
File Operations
2
External Requests
0
Bundled Libraries
0

Output Escaping

39% escaped318 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths
login_errors (index.php:651)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Booking Package Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[booking_package] index.php:247
WordPress Hooks 28
filterlocaleindex.php:212
filterload_textdomain_mofileindex.php:213
actionbooking_package_notificationindex.php:217
actionwp_dashboard_setupindex.php:218
actionadmin_menuindex.php:219
actionprofile_updateindex.php:220
actionpersonal_options_updateindex.php:221
actionuser_registerindex.php:222
actiondelete_userindex.php:223
actionwp_before_admin_bar_renderindex.php:224
actionadmin_bar_menuindex.php:226
actionwidgets_initindex.php:237
actionlogin_enqueue_scriptsindex.php:239
actioninitindex.php:240
filterlogin_headerurlindex.php:241
filterlogin_headertextindex.php:242
actionwp_print_footer_scriptsindex.php:243
filterwidget_textindex.php:251
actionwp_insert_siteindex.php:256
actionwpmu_new_blogindex.php:260
actionwp_delete_siteindex.php:266
actiondelete_blogindex.php:270
actioninitindex.php:276
actioninitindex.php:295
actioninitindex.php:303
actioninitindex.php:309
actioninitindex.php:315
actionadmin_initindex.php:321

Scheduled Events 2

booking_package_notification
booking_package_notification
Maintenance & Trust

Booking Package Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 24, 2026
PHP min version7.2
Downloads1.1M

Community Trust

Rating80/100
Number of ratings15
Active installs10K
Alternatives

Booking Package Alternatives

Booking calendar, Appointment Booking System

Booking calendar, Appointment Booking System

booking-calendar

B
82

Booking calendar plugin is an awesome tool for creating appointment booking calendars and Scheduling systems in a few minutes.

4K 17 CVEs
Pinpoint Booking System – Version 2

Pinpoint Booking System – Version 2

booking-system

A
93

Book anything, anytime, anywhere.

3K 13 CVEs
Salon Booking System – Free Version

Salon Booking System – Free Version

salon-booking-system

D
39

Appointment scheduling plugin for salons, spas, and wellness centers to streamline bookings and improve customer satisfaction.

3K 1 unpatched
SuperSaaS – online appointment scheduling

SuperSaaS – online appointment scheduling

supersaas-appointment-scheduling

A
99

SuperSaaS is a flexible appointment scheduling system that works with many different businesses. The basic version is free.

1K 2 CVEs
Booking Ultra Pro Appointments Booking Calendar Plugin

Booking Ultra Pro Appointments Booking Calendar Plugin

booking-ultra-pro

C
50

Powerful Booking Plugin with amazing dashboard to manage all of your appointments & bookings online.

500 1 unpatched
Developer Profile

Booking Package Developer Profile

MASAAKI

3 plugins · 10K total installs

70
trust score
Avg Security Score
87/100
Avg Patch Time
311 days
View full developer profile
Detection Fingerprints

How We Detect Booking Package

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/booking-package/asset/css/theme.css/wp-content/plugins/booking-package/asset/css/materialize.css/wp-content/plugins/booking-package/asset/css/custom.css/wp-content/plugins/booking-package/asset/js/booking.js/wp-content/plugins/booking-package/asset/js/common.js/wp-content/plugins/booking-package/asset/js/calendar.js/wp-content/plugins/booking-package/asset/js/booking_package_dashboard.js/wp-content/plugins/booking-package/asset/js/booking_package_settings.js+38 more
Script Paths
/wp-content/plugins/booking-package/booking-package.php/wp-content/plugins/booking-package/lib/Setting.php/wp-content/plugins/booking-package/lib/Schedule.php/wp-content/plugins/booking-package/lib/CreditCard.php/wp-content/plugins/booking-package/lib/Html.php/wp-content/plugins/booking-package/lib/Database.php+3 more
Version Parameters
booking-package/asset/css/theme.css?ver=booking-package/asset/css/materialize.css?ver=booking-package/asset/css/custom.css?ver=booking-package/asset/js/booking.js?ver=booking-package/asset/js/common.js?ver=booking-package/asset/js/calendar.js?ver=booking-package/asset/js/booking_package_dashboard.js?ver=booking-package/asset/js/booking_package_settings.js?ver=booking-package/asset/js/booking_package_calendar.js?ver=booking-package/asset/js/booking_package_staff.js?ver=booking-package/asset/js/booking_package_staff_schedule.js?ver=booking-package/asset/js/booking_package_reservation.js?ver=booking-package/asset/js/booking_package_reservation_detail.js?ver=booking-package/asset/js/booking_package_user_manage.js?ver=booking-package/asset/js/booking_package_calendar_manage.js?ver=booking-package/asset/js/booking_package_calendar_detail.js?ver=booking-package/asset/js/booking_package_payment.js?ver=booking-package/asset/js/booking_package_user_custom.js?ver=booking-package/asset/js/booking_package_api.js?ver=booking-package/asset/js/booking_package_api_log.js?ver=booking-package/asset/js/booking_package_api_setting.js?ver=booking-package/asset/js/booking_package_api_extension.js?ver=booking-package/asset/js/booking_package_custom_field_management.js?ver=booking-package/asset/js/booking_package_email_template_management.js?ver=booking-package/asset/js/booking_package_email_template_detail.js?ver=booking-package/asset/js/booking_package_coupon_management.js?ver=booking-package/asset/js/booking_package_coupon_detail.js?ver=booking-package/asset/js/booking_package_coupon_extension.js?ver=booking-package/asset/js/booking_package_pay.js?ver=booking-package/asset/js/booking_package_pay_extension.js?ver=booking-package/asset/js/booking_package_dashboard_dashboard.js?ver=booking-package/asset/js/booking_package_dashboard_calendar.js?ver=booking-package/asset/js/booking_package_dashboard_setting.js?ver=booking-package/asset/js/booking_package_dashboard_template.js?ver=booking-package/asset/js/booking_package_dashboard_customer.js?ver=booking-package/asset/js/booking_package_dashboard_coupon.js?ver=booking-package/asset/js/booking_package_dashboard_coupon_detail.js?ver=booking-package/asset/js/booking_package_dashboard_api.js?ver=booking-package/asset/js/booking_package_dashboard_api_log.js?ver=booking-package/asset/js/booking_package_dashboard_api_extension.js?ver=booking-package/asset/js/booking_package_dashboard_notice.js?ver=booking-package/asset/js/booking_package_dashboard_email_template.js?ver=booking-package/asset/js/booking_package_dashboard_email_template_detail.js?ver=booking-package/asset/js/booking_package_dashboard_custom_field_management.js?ver=booking-package/asset/js/booking_package_dashboard_room_manage.js?ver=booking-package/asset/js/booking_package_dashboard_room_detail.js?ver=

HTML / DOM Fingerprints

CSS Classes
booking_package_dashboard_containerbooking_package_dashboard_tabsbooking_package_dashboard_contentbooking_package_dashboard_content_menubooking_package_dashboard_menu_itembooking_package_dashboard_form_blockbooking_package_dashboard_form_inputbooking_package_dashboard_form_label+87 more
HTML Comments
<!-- booking_package --><!-- booking_package.php --><!-- Booking Package SAASPROJECT --><!-- Booking Package is a high-performance booking calendar system that anyone can easily use. -->
Data Attributes
data-plugin-name="booking-package"data-plugin-version="1.7.05"
JS Globals
booking_package_varsbooking_package_settingsbooking_package_ajax_urlbooking_package_nonce
REST Endpoints
/wp-json/booking-package/v1/settings/wp-json/booking-package/v1/calendars/wp-json/booking-package/v1/reservations
FAQ

Frequently Asked Questions about Booking Package