WP-Safety

Bookit — Booking & Appointment Calendar Security & Risk Analysis

wordpress.org/plugins/bookit

Appointment booking and event calendar for WordPress. Services, staff, availability, shortcodes, and email notifications. Prevents double-booking.

5K active installs v2.5.4 PHP 7.4+ WP 6.3+ Updated Mar 11, 2026
appointment-bookingappointment-calendarbookingbooking-calendarcalendar
87
A · Safe
CVEs total5
Unpatched0
Last CVENov 15, 2025
Plugin page Download
Safety Verdict

Is Bookit — Booking & Appointment Calendar Safe to Use in 2026?

Generally Safe

Score 87/100

Bookit — Booking & Appointment Calendar has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Nov 15, 2025Updated 23d ago
Risk Assessment

The 'bookit' plugin v2.5.4 exhibits a mixed security posture, with some strong security practices but also significant areas of concern. The plugin benefits from a high percentage of properly escaped output and the consistent use of prepared statements for all SQL queries, which are excellent indicators of good coding hygiene. However, the presence of two unprotected AJAX handlers represents a considerable attack surface that could be exploited by unauthenticated users. Furthermore, the plugin's history is marred by a substantial number of known CVEs, including a past critical vulnerability, and common types of security flaws like missing authorization and authentication bypass. While there are currently no unpatched CVEs, this historical pattern suggests a recurring tendency towards introducing security weaknesses.

The static analysis also highlights the use of the `unserialize` function, which can be a vector for deserialization vulnerabilities if not handled with extreme caution and proper sanitization, although no critical taint flows were identified. The outdated bundled Freemius library is another potential concern, as older versions may contain known vulnerabilities. In conclusion, while the plugin demonstrates a commitment to some secure coding principles, the identified unprotected entry points, a concerning vulnerability history, and the use of potentially dangerous functions warrant careful attention and mitigation.

Key Concerns

  • Unprotected AJAX handlers
  • Bundled outdated library (Freemius v1.0)
  • Use of dangerous function: unserialize
  • Known critical vulnerability in history
  • Known high vulnerability in history
  • Known medium vulnerabilities in history
Vulnerabilities
5

Bookit — Booking & Appointment Calendar Security Vulnerabilities

CVEs by Year

2 CVEs in 2023
2023
1 CVE in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
High
1
Medium
3

5 total CVEs

CVE-2025-12841medium · 5.3Missing Authorization

Bookit <= 2.5.0 - Missing Authorization to Unauthenticated Settings Update

Nov 15, 2025 Patched in 2.5.1 (35d)
CVE-2025-12633high · 7.5Missing Authorization

Booking Calendar | Appointment Booking | Bookit <= 2.5.0 - Missing Authorization to Unauthenticated Stripe Connection

Nov 11, 2025 Patched in 2.5.1 (1d)
CVE-2024-24715medium · 4.9Improper Authorization

BookIt <=2.4.0 - Price Bypass

Jan 31, 2024 Patched in 2.4.1 (3d)
CVE-2023-50852medium · 6.6Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BookIt <= 2.4.3 - Authenticated(Administrator+) SQL Injection

Dec 21, 2023 Patched in 2.4.4 (33d)
CVE-2023-2834critical · 9.8Authentication Bypass Using an Alternate Path or Channel

BookIt <= 2.3.7 - Authentication Bypass

Jun 20, 2023 Patched in 2.3.8 (217d)
Code Analysis
Analyzed Mar 16, 2026

Bookit — Booking & Appointment Calendar Code Analysis

Dangerous Functions
10
Raw SQL Queries
0
69 prepared
Unescaped Output
10
278 escaped
Nonce Checks
40
Capability Checks
31
File Operations
5
External Requests
13
Bundled Libraries
1

Dangerous Functions Found

unserialize$value['notes'] = unserialize( trim( $value['notes'] ) );includes\classes\admin\AppointmentsController.php:258
unserialize$notes = unserialize( trim( $appointment->notes ) );includes\classes\admin\AppointmentsController.php:299
unserialize$notes = unserialize( trim( $appointment->notes ) );includes\classes\admin\AppointmentsController.php:381
unserialize$appointment['notes'] = unserialize( trim( $data['notes'] ) ); // phpcs:ignore WordPress.PHP.Discourincludes\classes\admin\AppointmentsController.php:520
unserialize$notes = unserialize( $appointment['notes'] ); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunincludes\classes\admin\AppointmentsController.php:562
unserialize$updatedAppointment['notes'] = unserialize( trim( $updatedAppointment['notes'] ) ); // phpcs:ignore includes\classes\admin\AppointmentsController.php:582
unserialize$notes = unserialize( $appointment->notes );includes\classes\database\Categories.php:150
unserialize$notes = unserialize( $appointment->notes );includes\classes\database\Customers.php:47
unserialize$notes = unserialize( $appointment->notes );includes\classes\database\Services.php:136
unserialize$notes = unserialize( $appointment->notes );includes\classes\database\Staff.php:185

Bundled Libraries

Freemius1.0

SQL Query Safety

100% prepared69 total queries

Output Escaping

97% escaped288 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

7 flows1 with unsanitized paths
<init> (includes\init.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Bookit — Booking & Appointment Calendar Attack Surface

Entry Points3
Unprotected2

AJAX Handlers 2

authwp_ajax_bookit_stripeConnect_intent_paymentsrc\Bookit\Gateways\StripeConnect\Hooks.php:33
noprivwp_ajax_bookit_stripeConnect_intent_paymentsrc\Bookit\Gateways\StripeConnect\Hooks.php:34

Shortcodes 1

[bookit] includes\classes\BookitController.php:19
WordPress Hooks 34
actionplugin_version_updatebookit.php:100
actionafter_uninstallbookit.php:101
actionplugins_loadedbookit.php:111
actionadmin_menuincludes\classes\admin\AdminMenu.php:13
actionadmin_headincludes\classes\admin\SettingsController.php:340
actionadmin_headincludes\classes\admin\SettingsController.php:349
actioninitincludes\classes\admin\SettingsController.php:353
actionbookit_before_update_settingincludes\classes\Customization.php:13
actionbookit_appointment_createdincludes\classes\Notifications.php:23
actionbookit_appointment_updatedincludes\classes\Notifications.php:24
actionbookit_payment_completeincludes\classes\Notifications.php:25
actionbookit_appointment_status_changedincludes\classes\Notifications.php:26
actionbookit_appointment_deletedincludes\classes\Notifications.php:27
filterbookit_filter_email_dataincludes\classes\Notifications.php:28
actionbookit_appointment_createdincludes\classes\Notifications.php:29
filterstm_admin_notice_rate_bookit_singleincludes\classes\Notifications.php:30
filterwp_mail_content_typeincludes\classes\Notifications.php:66
filterwp_mail_from_nameincludes\classes\Notifications.php:67
filterwp_mail_fromincludes\classes\Notifications.php:68
actionadmin_footerincludes\conflux.php:2
actioninitincludes\init.php:13
actioninitincludes\init.php:28
actionvc_after_set_modeincludes\init.php:50
actionplugins_loadedincludes\init.php:51
actionadmin_initincludes\init.php:58
actionelementor/widgets/registerincludes\widgets\ElementorWidget.php:37
actionrest_api_initsrc\Bookit\Gateways\StripeConnect\Hooks.php:30
actionbookit_before_update_settingsrc\Bookit\Gateways\StripeConnect\Hooks.php:31
filterbookit_settingssrc\Bookit\Gateways\StripeConnect\Hooks.php:74
filterbookit_settings_template_varssrc\Bookit\Gateways\StripeConnect\Hooks.php:75
filterbookit_settings_template_varssrc\Bookit\Gateways\StripeConnect\Hooks.php:76
filterallowed_redirect_hostssrc\Bookit\Gateways\StripeConnect\REST\Return_Endpoint.php:166
actionplugins_loadedsrc\Bookit\Plugin.php:143
actionrest_api_initsrc\Bookit\REST\Provider.php:46
Maintenance & Trust

Bookit — Booking & Appointment Calendar Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 11, 2026
PHP min version7.4
Downloads213K

Community Trust

Rating76/100
Number of ratings24
Active installs5K
Alternatives

Bookit — Booking & Appointment Calendar Alternatives

Timetics – Appointment Booking Calendar & Scheduling System

Timetics – Appointment Booking Calendar & Scheduling System

timetics

A
86

Appointment booking system for Professionals — schedule, manage calendars, accept payments, send reminders & automate bookings easily.

2K 8 CVEs
Online Scheduling and Appointment Booking System – Bookly

Online Scheduling and Appointment Booking System – Bookly

bookly-responsive-appointment-booking-tool

A
93

Appointment booking system for WordPress — schedule appointments, manage calendars, send reminders, take payments. Start booking today!

70K 8 CVEs
Booking calendar, Appointment Booking System

Booking calendar, Appointment Booking System

booking-calendar

B
82

Booking calendar plugin is an awesome tool for creating appointment booking calendars and Scheduling systems in a few minutes.

4K 17 CVEs
Salon Booking System – Free Version

Salon Booking System – Free Version

salon-booking-system

D
39

Appointment scheduling plugin for salons, spas, and wellness centers to streamline bookings and improve customer satisfaction.

3K 1 unpatched
Easy Appointment Booking & Scheduling System – Webba Booking Calendar

Easy Appointment Booking & Scheduling System – Webba Booking Calendar

webba-booking-lite

A
95

Free Appointment Booking Plugin 📅 Unlimited appointments, booking management, calendar sync, notifications, 5* support = powerful booking system!

3K 7 CVEs
Developer Profile

Bookit — Booking & Appointment Calendar Developer Profile

StellarWP

26 plugins · 3.1M total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
462 days
View full developer profile
Detection Fingerprints

How We Detect Bookit — Booking & Appointment Calendar

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/bookit/assets/dist/dashboard/js/app.js/wp-content/plugins/bookit/assets/dist/dashboard/css/app.css/wp-content/plugins/bookit/assets/dist/dashboard/css/addons.css
Script Paths
/wp-content/plugins/bookit/assets/dist/dashboard/js/app.js
Version Parameters
bookit/assets/dist/dashboard/js/app.js?ver=bookit/assets/dist/dashboard/css/app.css?ver=bookit/assets/dist/dashboard/css/addons.css?ver=

HTML / DOM Fingerprints

JS Globals
bookit_window
FAQ

Frequently Asked Questions about Bookit — Booking & Appointment Calendar