WP-Safety

Online Scheduling and Appointment Booking System – Bookly Security & Risk Analysis

wordpress.org/plugins/bookly-responsive-appointment-booking-tool

Appointment booking system for WordPress — schedule appointments, manage calendars, send reminders, take payments. Start booking today!

70K active installs v27.4 PHP 5.3.7+ WP 3.7+ Updated Apr 14, 2026
appointment-bookingappointmentsbookingbooking-calendarbooking-system
88
A · Safe
CVEs total10
Unpatched0
Last CVEApr 8, 2026
Plugin page Download
Safety Verdict

Is Online Scheduling and Appointment Booking System – Bookly Safe to Use in 2026?

Generally Safe

Score 88/100

Online Scheduling and Appointment Booking System – Bookly has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

10 known CVEsLast CVE: Apr 8, 2026Updated 1mo ago
Risk Assessment

The static analysis of Bookly Responsive Appointment Booking Tool v27.1 shows a generally robust security posture with a strong emphasis on prepared statements for SQL queries and proper output escaping, which are positive signs. The absence of identified dangerous functions, file operations, external HTTP requests, and critical or high severity taint flows further contributes to this good foundation.

However, a significant concern arises from the plugin's history, which lists a total of 8 known CVEs, with 3 high and 5 medium severity vulnerabilities. The fact that the most recent vulnerability was patched on 2024-06-10, but the version analyzed is v27.1, suggests that either this version is still vulnerable to historical issues, or that the analysis might be based on a snapshot before a patch was applied to this specific version. The common vulnerability types like Cross-Site Scripting, SQL Injection, and Missing Authorization in its history are particularly worrying, indicating recurring weaknesses.

Despite the positive static analysis findings, the extensive history of high and medium severity vulnerabilities, particularly those related to input sanitization and authorization, necessitates a cautious approach. While the current code analysis shows improvements, the historical pattern suggests a tendency for such vulnerabilities to emerge. Therefore, continued vigilance, prompt patching of any newly discovered issues, and rigorous security audits are recommended.

Key Concerns

  • History of High Severity CVEs (3)
  • History of Medium Severity CVEs (5)
  • Missing Nonce Checks (0 entry points)
  • Raw SQL Queries (approx. 9% of 47)
  • Unescaped Output (approx. 21% of 1124)
  • Bundled Libraries (DataTables, Select2 - potential for outdated versions)
Vulnerabilities
10 published

Online Scheduling and Appointment Booking System – Bookly Security Vulnerabilities

CVEs by Year

1 CVE in 2018
2018
1 CVE in 2021
2021
5 CVEs in 2023
2023
1 CVE in 2024
2024
2 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

High
3
Medium
7

10 total CVEs

CVE-2026-2519medium · 5.3External Control of Assumed-Immutable Web Parameter

Online Scheduling and Appointment Booking System – Bookly <= 27.0 - Unauthenticated Price Manipulation via 'tips'

Apr 8, 2026 Patched in 27.1 (2d)
CVE-2026-32540medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Online Scheduling and Appointment Booking System – Bookly <= 26.7 - Reflected Cross-Site Scripting

Mar 20, 2026 Patched in 26.8 (7d)
CVE-2024-5584medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Online Booking and Scheduling Plugin – Bookly <= 23.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Color Profile Parameter

Jun 10, 2024 Patched in 23.3 (1d)
CVE-2023-5209medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Online Booking and Scheduling Plugin – Bookly <= 22.4.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Nov 6, 2023 Patched in 22.5 (78d)
CVE-2023-4691medium · 6.6Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Bookly <= 22.3.1 - Authenticated(Administrator+) SQL Injection

Sep 25, 2023 Patched in 22.4 (120d)
CVE-2023-1159medium · 4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bookly <= 21.7 - Authenticated (Admin+) Stored Cross-Site Scripting

Jun 1, 2023 Patched in 21.8 (236d)
CVE-2023-26526high · 8.1Missing Authorization

Bookly <= 21.7.1 - Arbitrary File Deletion

May 11, 2023 Patched in 21.8 (257d)
CVE-2023-1172high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bookly <= 21.5 - Unauthenticated Stored Cross-Site Scripting via Name

Mar 17, 2023 Patched in 21.5.1 (312d)
CVE-2021-24930medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bookly <= 20.3 - Staff Member Stored Cross-Site Scripting

Nov 8, 2021 Patched in 20.3.1 (806d)
CVE-2018-6891high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Online Booking and Scheduling Plugin – Bookly <= 14.5 - Cross-Site Scripting

Feb 10, 2018 Patched in 14.6 (2173d)
Version History

Online Scheduling and Appointment Booking System – Bookly Release Timeline

v27.4Current
v27.3
v27.2
v27.1
v27.01 CVE
CVE-2026-2519
v26.91 CVE
CVE-2026-2519
v26.81 CVE
CVE-2026-2519
v26.72 CVEs
CVE-2026-32540 CVE-2026-2519
v26.62 CVEs
CVE-2026-32540 CVE-2026-2519
v26.52 CVEs
CVE-2026-32540 CVE-2026-2519
v26.42 CVEs
CVE-2026-32540 CVE-2026-2519
v26.32 CVEs
CVE-2026-32540 CVE-2026-2519
v26.22 CVEs
CVE-2026-32540 CVE-2026-2519
v26.12 CVEs
CVE-2026-32540 CVE-2026-2519
v26.02 CVEs
CVE-2026-32540 CVE-2026-2519
v25.92 CVEs
CVE-2026-32540 CVE-2026-2519
v25.82 CVEs
CVE-2026-32540 CVE-2026-2519
v25.72 CVEs
CVE-2026-32540 CVE-2026-2519
v25.62 CVEs
CVE-2026-32540 CVE-2026-2519
v25.52 CVEs
CVE-2026-32540 CVE-2026-2519
Code Analysis
Analyzed Mar 17, 2026

Online Scheduling and Appointment Booking System – Bookly Code Analysis

Dangerous Functions
0
Raw SQL Queries
4
43 prepared
Unescaped Output
235
889 escaped
Nonce Checks
0
Capability Checks
12
File Operations
0
External Requests
0
Bundled Libraries
2

Bundled Libraries

DataTablesSelect2

SQL Query Safety

91% prepared47 total queries

Output Escaping

79% escaped1124 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

1 flows
<_email_to_support> (backend\components\support\templates\_email_to_support.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Online Scheduling and Appointment Booking System – Bookly Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 13
actionadmin_menubackend\Backend.php:15
actionall_admin_noticesbackend\Backend.php:18
actionin_admin_headerbackend\Backend.php:21
filtersite_status_testsbackend\Backend.php:28
actionelementor/elements/categories_registeredbackend\Backend.php:40
actionelementor/editor/before_enqueue_scriptsbackend\Backend.php:44
actionwp_dashboard_setupbackend\components\dashboard\appointments\Widget.php:14
filtermce_buttonsbackend\components\dialogs\notifications\Dialog.php:18
filtermce_buttons_2backend\components\dialogs\notifications\Dialog.php:35
actionadmin_footerbackend\components\tiny_mce\Tools.php:14
filtermedia_buttonsbackend\components\tiny_mce\Tools.php:15
actionelementor/editor/footerbackend\components\tiny_mce\Tools.php:16
actionset_logged_in_cookiefrontend\modules\booking\Ajax.php:1049
Maintenance & Trust

Online Scheduling and Appointment Booking System – Bookly Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 14, 2026
PHP min version5.3.7
Downloads3.7M

Community Trust

Rating88/100
Number of ratings563
Active installs70K
Alternatives

Online Scheduling and Appointment Booking System – Bookly Alternatives

Easy Appointment Booking & Scheduling System – Webba Booking Calendar

Easy Appointment Booking & Scheduling System – Webba Booking Calendar

webba-booking-lite

A
95

Free Appointment Booking Plugin 📅 Unlimited appointments, booking management, calendar sync, notifications, 5* support = powerful booking system!

3K 7 CVEs
Time Slot – Booking and Appointment System

Time Slot – Booking and Appointment System

timeslot

A
98

Book appointments online with a simple booking form and flexible scheduling. Time Slot is a lightweight booking plugin with a powerful booking system.

100 2 CVEs
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

simply-schedule-appointments

A
88

Unlimited appointments, booking calendars, and notifications. Powerful appointment booking plugin and booking system. Start scheduling for free today!

60K 27 CVEs
Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution

Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution

fluent-booking

A
95

The ultimate solution for booking appointments, meetings, webinars, events, sales calls, and more.

20K 3 CVEs
Booking calendar, Appointment Booking System

Booking calendar, Appointment Booking System

booking-calendar

C
50

Booking calendar plugin is an awesome tool for creating appointment booking calendars and Scheduling systems in a few minutes.

4K 1 unpatched
Developer Profile

Online Scheduling and Appointment Booking System – Bookly Developer Profile

Bookly

1 plugin · 70K total installs

71
trust score
Avg Security Score
88/100
Avg Patch Time
399 days
View full developer profile
Detection Fingerprints

How We Detect Online Scheduling and Appointment Booking System – Bookly

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/bookly-responsive-appointment-booking-tool/frontend/modules/booking/templates/_css.php

HTML / DOM Fingerprints

CSS Classes
bookly-css-rootbookly-formpowered-by-booklybookly-js-drag-container
HTML Comments
Plugin Name: Bookly - Responsive WordPress Appointment Booking and Scheduling Plugin Plugin URI: https://www.booking-wp-plugin.com/?utm_source=bookly_admin&utm_medium=plugins_page&utm_campaign=plugins_page Version: Plugin Name: Bookly Plugin URI: https://www.booking-wp-plugin.com/?utm_source=bookly_admin&utm_medium=plugins_page&utm_campaign=plugins_page Description: Bookly Plugin - is a great easy-to-use and easy-to-manage booking tool for service providers who think about their customers. The plugin supports a wide range of services provided by business and individuals who offer reservations through websites. Set up any reservation quickly, pleasantly and easily with Bookly! Version: 27.1 Author: Nota-Info Author URI: https://www.booking-wp-plugin.com/?utm_source=bookly_admin&utm_medium=plugins_page&utm_campaign=plugins_page Text Domain: bookly Domain Path: /languages License: GPLv3 License URI: http://www.gnu.org/licenses/gpl-3.0.html
Data Attributes
data-form_idbookly-widget-
JS Globals
window.bookly
Shortcode Output
<div class="powered-by-bookly">Powered by<a href="https://www.booking-wp-plugin.com/?utm_source=referral&amp;utm_medium=booking_widget" target="_blank">Bookly</a><a href="https://www.booking-wp-plugin.com/?utm_source=referral&amp;utm_medium=booking_widget" target="_blank">WordPress Booking Plugin</a>
FAQ

Frequently Asked Questions about Online Scheduling and Appointment Booking System – Bookly