Booking Ultra Pro Appointments Booking Calendar Plugin Security & Risk Analysis
wordpress.org/plugins/booking-ultra-proPowerful Booking Plugin with amazing dashboard to manage all of your appointments & bookings online.
Is Booking Ultra Pro Appointments Booking Calendar Plugin Safe to Use in 2026?
Use With Caution
Score 50/100Booking Ultra Pro Appointments Booking Calendar Plugin has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.
The booking-ultra-pro plugin exhibits a mixed security posture. While it demonstrates good practices in SQL query handling and a significant portion of its output escaping, the presence of 30 unprotected AJAX handlers represents a substantial attack surface. The taint analysis reveals 4 high-severity flows with unsanitized paths, indicating potential vulnerabilities that could be exploited if the input is not properly validated and neutralized.
The plugin's vulnerability history is a major concern, with 15 known CVEs, including one critical and six high-severity issues. The fact that one critical vulnerability remains unpatched is a significant risk. The recurring vulnerability types, such as missing authorization, XSS, and RFI, suggest a pattern of fundamental security flaws that have not been fully addressed over time. This history, coupled with the identified code signals, points to a need for significant security improvements.
In conclusion, while the plugin utilizes prepared statements for SQL and has decent output escaping, the numerous unprotected AJAX endpoints, high-severity taint flows, and extensive history of unpatched vulnerabilities, particularly a critical one, paint a picture of a plugin with serious security weaknesses. The outdated bundled jQuery library is a minor concern but adds to the overall impression of a lack of consistent security maintenance.
Key Concerns
- Unprotected AJAX handlers
- High severity taint flows
- Currently unpatched critical CVE
- High number of high severity CVEs
- Bundled outdated jQuery library
- Flows with unsanitized paths
Booking Ultra Pro Appointments Booking Calendar Plugin Security Vulnerabilities
CVEs by Year
Severity Breakdown
15 total CVEs
Booking Ultra Pro <= 1.1.23 - Authenticated (Subscriber+) Information Exposure
Booking Ultra Pro <= 1.1.21 - Authenticated (Contributor+) Stored Cross-Site Scripting
Booking Ultra Pro <= 1.1.20 - Authenticated (Administrator+) Stored Cross-Site Scripting
Booking Ultra Pro <= 1.1.19 - Reflected Cross-Site Scripting
Booking Ultra Pro <= 1.1.13 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Updates
Booking Ultra Pro <= 1.1.13 - Unauthenticated Local File Inclusion
Booking Ultra Pro <= 1.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting
Booking Ultra Pro <= 1.1.12 - Authenticated (Contributor+) Privilege Escalation
Booking Ultra Pro <= 1.1.6 - Missing Authorization via save_fields_settings
Booking Ultra Pro <= 1.1.8 - Reflected Cross-Site Scripting
Booking Ultra Pro <= 1.1.8 - Unauthenticated Stored Cross-Site Scripting
Booking Ultra Pro <= 1.1.6 - Cross-Site Request Forgery
Booking Ultra Pro <= 1.1.5 - Missing Authorization
Booking Ultra Pro <= 1.1.6 - Cross-Site Request Forgery
Booking Ultra Pro <= 1.1.8 - Stored Cross-Site Scripting
Booking Ultra Pro Appointments Booking Calendar Plugin Code Analysis
Bundled Libraries
SQL Query Safety
Output Escaping
Data Flow Analysis
Booking Ultra Pro Appointments Booking Calendar Plugin Attack Surface
AJAX Handlers 90
Shortcodes 1
WordPress Hooks 38
Maintenance & Trust
Booking Ultra Pro Appointments Booking Calendar Plugin Maintenance & Trust
Maintenance Signals
Community Trust
Booking Ultra Pro Appointments Booking Calendar Plugin Alternatives
SimplyBook.me – Booking and reservations calendar
simplybook
Simply add a booking calendar to your site to schedule bookings, reservations, appointments and to collect payments.
SuperSaaS – online appointment scheduling
supersaas-appointment-scheduling
SuperSaaS is a flexible appointment scheduling system that works with many different businesses. The basic version is free.
Alex Reservations: Smart Restaurant Booking
alex-reservations
Restaurant reservations solution to help you manage your daily bookings.
Time Slot – Booking and Appointment Scheduling
timeslot
Book appointments, organize your schedule, send notifications, and more. Keep booking simple for everyone with Time Slot.
Reservation.Studio widget
reservation-studio-widget
Reservation.Studio WordPress booking widget
Booking Ultra Pro Appointments Booking Calendar Plugin Developer Profile
3 plugins · 3K total installs
How We Detect Booking Ultra Pro Appointments Booking Calendar Plugin
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/booking-ultra-pro/assets/js/bup-admin-script.js/wp-content/plugins/booking-ultra-pro/assets/css/bup-admin-style.css/wp-content/plugins/booking-ultra-pro/assets/css/bup-frontend-style.css/wp-content/plugins/booking-ultra-pro/assets/js/bup-frontend-script.jsbooking-ultra-pro/assets/js/bup-admin-script.jsbooking-ultra-pro/assets/js/bup-frontend-script.jsbooking-ultra-pro/assets/js/bup-admin-script.js?ver=booking-ultra-pro/assets/css/bup-admin-style.css?ver=booking-ultra-pro/assets/css/bup-frontend-style.css?ver=booking-ultra-pro/assets/js/bup-frontend-script.js?ver=HTML / DOM Fingerprints
bup-notice-holder<!-- Master Class --><!-- Helper to activate a plugin on another site without causing a fatal error by --><!-- Running on a single blog --><!-- Loading Function -->+3 moredata-bup-pagedata-bup-actiondata-bup-noncebookingultrapro_admin_script_varsbup_booking_frontend_varsbookingUltraProbup_vars/wp-json/booking-ultra-pro/v1/settings/wp-json/booking-ultra-pro/v1/appointments[bookingultrapro][bup_appointments][bup_staff_list]