WP-Safety

Bookingor – Booking System for Appointment Calendar, Meeting Scheduler & WooCommerce Bookings Security & Risk Analysis

wordpress.org/plugins/bookingor

Bookingor is a Great Booking System for Appointment Booking Plugin. Schedule Booking Calendar events, meeting scheduler, Automated book appointment

80 active installs v2.0.14 PHP 7.2+ WP 3.4+ Updated Mar 12, 2026
appointmentbookingbooking-systemcalendarscheduling
76
B · Generally Safe
CVEs total2
Unpatched1
Last CVEJan 20, 2026
Download
Safety Verdict

Is Bookingor – Booking System for Appointment Calendar, Meeting Scheduler & WooCommerce Bookings Safe to Use in 2026?

Mostly Safe

Score 76/100

Bookingor – Booking System for Appointment Calendar, Meeting Scheduler & WooCommerce Bookings is generally safe to use. 2 past CVEs were resolved.

2 known CVEs 1 unpatched Last CVE: Jan 20, 2026Updated 2mo ago
Risk Assessment

The "bookingor" plugin version 2.0.14 exhibits a concerning security posture, primarily due to a large number of unprotected AJAX handlers. While the plugin demonstrates good practices in SQL query preparation and output escaping, the sheer volume of exposed entry points (71 out of 80 total) significantly increases the attack surface. This lack of authentication checks on AJAX endpoints presents a high risk for unauthorized actions. The taint analysis revealing two high-severity flows with unsanitized paths further exacerbates these concerns, indicating potential for malicious data manipulation or execution if these flows are triggered. The vulnerability history, particularly the presence of two medium-severity CVEs and one currently unpatched vulnerability, points to a recurring pattern of missing authorization, reinforcing the findings from the static analysis. Although the plugin has strengths in its handling of SQL and output, the identified weaknesses in authorization and the presence of unpatched vulnerabilities are critical issues that require immediate attention. The unpatched CVE is a significant risk as it's a known vulnerability that could be exploited.

Key Concerns

  • Unprotected AJAX handlers
  • High severity taint flows
  • Unpatched CVE
  • Recurring missing authorization vulnerabilities
  • Bundled DataTables library
  • Bundled Select2 library
  • Bundled Guzzle library
Vulnerabilities
2 published

Bookingor – Booking System for Appointment Calendar, Meeting Scheduler & WooCommerce Bookings Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-12573medium · 4.3Missing Authorization

Bookingor <= 1.0.12 - Missing Authorization

Jan 20, 2026Unpatched
CVE-2025-32231medium · 4.3Missing Authorization

Bookingor <= 2.0.1 - Missing Authorization

Apr 4, 2025 Patched in 2.0.2 (295d)
Version History

Bookingor – Booking System for Appointment Calendar, Meeting Scheduler & WooCommerce Bookings Release Timeline

v2.0.14Current1 CVE
CVE-2025-12573
v2.0.02 CVEs
CVE-2025-32231 CVE-2025-12573
v1.0.132 CVEs
CVE-2025-32231 CVE-2025-12573
v1.0.122 CVEs
CVE-2025-32231 CVE-2025-12573
v1.0.112 CVEs
CVE-2025-32231 CVE-2025-12573
v1.0.102 CVEs
CVE-2025-32231 CVE-2025-12573
v1.0.92 CVEs
CVE-2025-32231 CVE-2025-12573
v1.0.82 CVEs
CVE-2025-32231 CVE-2025-12573
v1.0.72 CVEs
CVE-2025-32231 CVE-2025-12573
v1.0.62 CVEs
CVE-2025-32231 CVE-2025-12573
v1.0.52 CVEs
CVE-2025-32231 CVE-2025-12573
v1.0.42 CVEs
CVE-2025-32231 CVE-2025-12573
v1.0.32 CVEs
CVE-2025-32231 CVE-2025-12573
v1.0.22 CVEs
CVE-2025-32231 CVE-2025-12573
v1.0.12 CVEs
CVE-2025-32231 CVE-2025-12573
v1.0.02 CVEs
CVE-2025-32231 CVE-2025-12573
Code Analysis
Analyzed Mar 16, 2026

Bookingor – Booking System for Appointment Calendar, Meeting Scheduler & WooCommerce Bookings Code Analysis

Dangerous Functions
0
Raw SQL Queries
26
163 prepared
Unescaped Output
145
5353 escaped
Nonce Checks
58
Capability Checks
29
File Operations
0
External Requests
0
Bundled Libraries
3

Bundled Libraries

DataTablesSelect2Guzzle

SQL Query Safety

86% prepared189 total queries

Output Escaping

97% escaped5498 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

25 flows2 with unsanitized paths
change_booking_status (app\Backend\Controller\Bookings\BookingsControl.php:121)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
71 unprotected

Bookingor – Booking System for Appointment Calendar, Meeting Scheduler & WooCommerce Bookings Attack Surface

Entry Points80
Unprotected71

AJAX Handlers 71

authwp_ajax_bp_add_categoryincludes\class-bookingor.php:177
authwp_ajax_bp_get_categoryincludes\class-bookingor.php:178
authwp_ajax_bp_update_categoryincludes\class-bookingor.php:179
authwp_ajax_bp_delete_categoryincludes\class-bookingor.php:180
authwp_ajax_bp_add_boooking_buttonsincludes\class-bookingor.php:182
authwp_ajax_bp_add_serviceincludes\class-bookingor.php:184
authwp_ajax_bp_delete_serviceincludes\class-bookingor.php:185
authwp_ajax_bp_service_updateincludes\class-bookingor.php:188
authwp_ajax_bp_add_timesheetincludes\class-bookingor.php:191
authwp_ajax_bp_get_subcategory_for_servicesincludes\class-bookingor.php:192
authwp_ajax_bp_settings_updateincludes\class-bookingor.php:194
authwp_ajax_bp_settings_email_testincludes\class-bookingor.php:195
authwp_ajax_myactionincludes\class-bookingor.php:197
noprivwp_ajax_myactionincludes\class-bookingor.php:198
authwp_ajax_secureBookingorincludes\class-bookingor.php:199
authwp_ajax_profile_update_Optionsincludes\class-bookingor.php:203
authwp_ajax_bookingor_create_booking_pageincludes\class-bookingor.php:206
authwp_ajax_bookingor_import_demoincludes\class-bookingor.php:207
authwp_ajax_bookingor_mark_setup_completeincludes\class-bookingor.php:208
authwp_ajax_bp_add_staffincludes\class-bookingor.php:210
authwp_ajax_bp_staff_updateincludes\class-bookingor.php:211
authwp_ajax_bp_delete_staffincludes\class-bookingor.php:212
authwp_ajax_updates_design_templatesincludes\class-bookingor.php:218
authwp_ajax_updates_design_templatesincludes\class-bookingor.php:219
authwp_ajax_bp_settings_get_design_templates_dataincludes\class-bookingor.php:220
noprivwp_ajax_bp_settings_get_design_templates_dataincludes\class-bookingor.php:221
authwp_ajax_bp_add_locationincludes\class-bookingor.php:224
authwp_ajax_bp_update_locationincludes\class-bookingor.php:225
authwp_ajax_bp_delete_locationincludes\class-bookingor.php:227
authwp_ajax_bp_get_locationincludes\class-bookingor.php:228
authwp_ajax_change_booking_statusincludes\class-bookingor.php:231
authwp_ajax_customer_deleteincludes\class-bookingor.php:234
authwp_ajax_bp_notification_email_updateincludes\class-bookingor.php:238
authwp_ajax_change_pay_statusincludes\class-bookingor.php:240
authwp_ajax_update_paid_n_pay_statusincludes\class-bookingor.php:241
authwp_ajax_update_paid_amountincludes\class-bookingor.php:242
authwp_ajax_show_events_full_calenderincludes\class-bookingor.php:247
noprivwp_ajax_show_events_full_calenderincludes\class-bookingor.php:248
authwp_ajax_front_get_staff_time_sheetincludes\class-bookingor.php:304
noprivwp_ajax_front_get_staff_time_sheetincludes\class-bookingor.php:305
authwp_ajax_front_get_service_time_sheetincludes\class-bookingor.php:307
noprivwp_ajax_front_get_service_time_sheetincludes\class-bookingor.php:308
authwp_ajax_bookingor_front_business_weekly_time_sheetincludes\class-bookingor.php:310
noprivwp_ajax_bookingor_front_business_weekly_time_sheetincludes\class-bookingor.php:311
authwp_ajax_bp_confirm_bookingincludes\class-bookingor.php:314
noprivwp_ajax_bp_confirm_bookingincludes\class-bookingor.php:315
authwp_ajax_bp_front_services_dataincludes\class-bookingor.php:318
noprivwp_ajax_bp_front_services_dataincludes\class-bookingor.php:319
authwp_ajax_bp_front_services_data_w_locationincludes\class-bookingor.php:320
noprivwp_ajax_bp_front_services_data_w_locationincludes\class-bookingor.php:321
authwp_ajax_bp_front_get_subcategory_ajxincludes\class-bookingor.php:325
noprivwp_ajax_bp_front_get_subcategory_ajxincludes\class-bookingor.php:326
authwp_ajax_bp_front_staff_assignsincludes\class-bookingor.php:331
noprivwp_ajax_bp_front_staff_assignsincludes\class-bookingor.php:332
authwp_ajax_bp_get_staff_emailincludes\class-bookingor.php:333
noprivwp_ajax_bp_get_staff_emailincludes\class-bookingor.php:334
authwp_ajax_front_get_locationincludes\class-bookingor.php:341
noprivwp_ajax_front_get_locationincludes\class-bookingor.php:342
authwp_ajax_service_staff_location_assign_mapsincludes\class-bookingor.php:343
noprivwp_ajax_service_staff_location_assign_mapsincludes\class-bookingor.php:344
authwp_ajax_service_location_assign_with_idincludes\class-bookingor.php:345
noprivwp_ajax_service_location_assign_with_idincludes\class-bookingor.php:346
noprivwp_ajax_secureBookingorincludes\class-bookingor.php:348
authwp_ajax_bp_settings_get_dataincludes\class-bookingor.php:350
noprivwp_ajax_bp_settings_get_dataincludes\class-bookingor.php:351
authwp_ajax_validateCustomerFormincludes\class-bookingor.php:353
noprivwp_ajax_validateCustomerFormincludes\class-bookingor.php:354
authwp_ajax_bookingor_wc_cart_pageincludes\class-bookingor.php:358
noprivwp_ajax_bookingor_wc_cart_pageincludes\class-bookingor.php:359
authwp_ajax_bookingor_wc_createdincludes\class-bookingor.php:360
noprivwp_ajax_bookingor_wc_createdincludes\class-bookingor.php:361

Shortcodes 9

[BOOKINGOR_DESIGN_1] includes\class-bookingor.php:293
[BOOKINGOR_DESIGN_2] includes\class-bookingor.php:294
[BOOKINGOR_DESIGN_3] includes\class-bookingor.php:295
[BOOKINGOR_DESIGN_4] includes\class-bookingor.php:296
[BOOKINGOR_DESIGN_5] includes\class-bookingor.php:297
[BOOKINGOR_DESIGN_6] includes\class-bookingor.php:298
[BOOKINGOR_START_CATEGORY] includes\class-bookingor.php:299
[BOOKINGOR_STARTER] includes\class-bookingor.php:300
[BOOKINGOR_START_STAFF] includes\class-bookingor.php:301
WordPress Hooks 35
actionelementor/controls/registerapp\Integrations\Elementor\ElementorIntegration.php:39
actionupgrader_process_completebookingor.php:82
actionplugins_loadedincludes\class-bookingor.php:138
actionadmin_enqueue_scriptsincludes\class-bookingor.php:169
actionadmin_enqueue_scriptsincludes\class-bookingor.php:170
actionadmin_menuincludes\class-bookingor.php:171
actionadmin_initincludes\class-bookingor.php:172
actionadmin_initincludes\class-bookingor.php:173
actionadmin_initincludes\class-bookingor.php:176
actionadmin_post_bp_category_viewincludes\class-bookingor.php:181
actionadmin_initincludes\class-bookingor.php:186
actionadmin_initincludes\class-bookingor.php:187
actionadmin_initincludes\class-bookingor.php:189
actionadmin_post_bp_view_serviceincludes\class-bookingor.php:190
actionadmin_initincludes\class-bookingor.php:196
actionadmin_initincludes\class-bookingor.php:202
actionadmin_initincludes\class-bookingor.php:213
actionadmin_initincludes\class-bookingor.php:214
actionadmin_initincludes\class-bookingor.php:215
actionadmin_initincludes\class-bookingor.php:226
actionadmin_initincludes\class-bookingor.php:230
actionadmin_initincludes\class-bookingor.php:233
actionadmin_initincludes\class-bookingor.php:237
actionadmin_initincludes\class-bookingor.php:243
actionwp_enqueue_scriptsincludes\class-bookingor.php:290
actionwp_enqueue_scriptsincludes\class-bookingor.php:291
actioninitincludes\class-bookingor.php:323
actioninitincludes\class-bookingor.php:324
actioninitincludes\class-bookingor.php:330
actioninitincludes\class-bookingor.php:338
actioninitincludes\class-bookingor.php:339
actioninitincludes\class-bookingor.php:340
actioninitincludes\class-bookingor.php:356
actioninitincludes\class-bookingor.php:357
actionwoocommerce_thankyouincludes\class-bookingor.php:362
Maintenance & Trust

Bookingor – Booking System for Appointment Calendar, Meeting Scheduler & WooCommerce Bookings Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 12, 2026
PHP min version7.2
Downloads4K

Community Trust

Rating100/100
Number of ratings1
Active installs80
Alternatives

Bookingor – Booking System for Appointment Calendar, Meeting Scheduler & WooCommerce Bookings Alternatives

Easy Appointment Booking & Scheduling System – Webba Booking Calendar

Easy Appointment Booking & Scheduling System – Webba Booking Calendar

webba-booking-lite

A
95

Free Appointment Booking Plugin 📅 Unlimited appointments, booking management, calendar sync, notifications, 5* support = powerful booking system!

3K 7 CVEs
Timetics – Appointment Booking & Scheduling

Timetics – Appointment Booking & Scheduling

timetics

A
86

Appointment booking and scheduling system with online booking calendar, payments, automated reminders, and calendar sync.

2K 10 CVEs
Booking System Trafft

Booking System Trafft

booking-system-trafft

A
98

Trafft is a next-level booking system offering limitless opportunities for scheduling appointments and managing your calendar & all of your bookings.

500 2 CVEs
Easy Booked – Appointment Booking and Scheduling Management System for WordPress

Easy Booked – Appointment Booking and Scheduling Management System for WordPress

easy-booked

A
91

A comprehensive appointment booking calendar and scheduling management system for WordPress.

100 1 CVE
Quill Booking – Appointment Scheduling & Event Management Solution

Quill Booking – Appointment Scheduling & Event Management Solution

quillbooking

A
100

Enterprise-grade appointment scheduling and event management platform designed for modern businesses and service providers.

70 No CVEs
Developer Profile

Bookingor – Booking System for Appointment Calendar, Meeting Scheduler & WooCommerce Bookings Developer Profile

Bookingor

1 plugin · 80 total installs

62
trust score
Avg Security Score
76/100
Avg Patch Time
295 days
View full developer profile
Detection Fingerprints

How We Detect Bookingor – Booking System for Appointment Calendar, Meeting Scheduler & WooCommerce Bookings

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/bookingor/assets/css/bookingor-public.css/wp-content/plugins/bookingor/assets/js/bookingor-public.js
Script Paths
/wp-content/plugins/bookingor/assets/js/bookingor-public.js
Version Parameters
bookingor/assets/css/bookingor-public.css?ver=bookingor/assets/js/bookingor-public.js?ver=

HTML / DOM Fingerprints

CSS Classes
bookingor-buttonbookingor-btn-wrapbookingor-btnbookingor-booking-section
Data Attributes
data-bookingor-iddata-bookingor-service-id
JS Globals
bookingorAppbookingor_data
REST Endpoints
/wp-json/bookingor/v1/get_services/wp-json/bookingor/v1/get_appointments
Shortcode Output
[bookingor_booking_form][bookingor_appointment_calendar][bookingor_button]
FAQ

Frequently Asked Questions about Bookingor – Booking System for Appointment Calendar, Meeting Scheduler & WooCommerce Bookings