WP-Safety

Bookster – WordPress Appointment Booking Plugin Security & Risk Analysis

wordpress.org/plugins/bookster

Manage real-time bookings with ease. Accept online or in-person payments seamlessly on your WordPress site.

200 active installs v3.0.1 PHP 7.4+ WP 6.2+ Updated Apr 10, 2026
appointmentappointment-bookingappointment-schedulingbookingcalendar
98
A · Safe
CVEs total2
Unpatched0
Last CVEFeb 17, 2026
Plugin page Download
Safety Verdict

Is Bookster – WordPress Appointment Booking Plugin Safe to Use in 2026?

Generally Safe

Score 98/100

Bookster – WordPress Appointment Booking Plugin has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Feb 17, 2026Updated 1mo ago
Risk Assessment

The 'bookster' plugin v3.0.1 exhibits a mixed security posture. It demonstrates good practices in several areas, with a very high percentage of properly escaped output and SQL queries utilizing prepared statements. The absence of critical or high severity taint analysis findings and the fact that all previously identified CVEs are now patched are positive indicators.

However, the plugin does present specific security concerns that warrant attention. The presence of two AJAX handlers without authentication checks creates a significant attack surface. While taint analysis didn't reveal critical issues, the one identified flow with unsanitized paths, even if not classified as critical or high, is a potential entry point for vulnerabilities. Furthermore, the vulnerability history shows a pattern of medium severity issues including SQL injection and authorization bypass, suggesting that while past vulnerabilities have been addressed, these types of flaws have been present, indicating a need for continued vigilance.

In conclusion, while 'bookster' has strengths in secure coding practices like output escaping and prepared statements, the unprotected AJAX endpoints and past medium-severity vulnerabilities indicate areas where further hardening is necessary to achieve a robust security posture.

Key Concerns

  • AJAX handlers without auth checks
  • Flows with unsanitized paths
  • Previous medium severity SQL injection
  • Previous medium severity auth bypass
Vulnerabilities
2 published

Bookster – WordPress Appointment Booking Plugin Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-8781medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Bookster – WordPress Appointment Booking Plugin <= 2.1.1 - Authenticated (Administrator+) SQL Injection via 'raw'

Feb 17, 2026 Patched in 2.2.0 (2d)
CVE-2024-5071medium · 5.3Authorization Bypass Through User-Controlled Key

Bookster – WordPress Appointment Booking Plugin <= 1.1.0 - Unauthenticated Appointment Manipulation

Jun 5, 2024 Patched in 1.2.0 (36d)
Version History

Bookster – WordPress Appointment Booking Plugin Release Timeline

v3.0.1Current
v3.0.0
v2.2.0
v2.1.11 CVE
CVE-2025-8781
v2.0.11 CVE
CVE-2025-8781
v2.01 CVE
CVE-2025-8781
v1.3.31 CVE
CVE-2025-8781
v1.3.21 CVE
CVE-2025-8781
v1.3.11 CVE
CVE-2025-8781
v1.3.01 CVE
CVE-2025-8781
v1.2.01 CVE
CVE-2025-8781
v1.1.02 CVEs
CVE-2025-8781 CVE-2024-5071
v1.0.22 CVEs
CVE-2025-8781 CVE-2024-5071
v1.0.12 CVEs
CVE-2025-8781 CVE-2024-5071
v1.02 CVEs
CVE-2025-8781 CVE-2024-5071
Code Analysis
Analyzed Mar 16, 2026

Bookster – WordPress Appointment Booking Plugin Code Analysis

Dangerous Functions
0
Raw SQL Queries
9
84 prepared
Unescaped Output
2
174 escaped
Nonce Checks
3
Capability Checks
27
File Operations
1
External Requests
9
Bundled Libraries
1

Bundled Libraries

Lodash

SQL Query Safety

90% prepared93 total queries

Output Escaping

99% escaped176 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths
send_async_request (src\Features\Tasks\Dispatcher\AsyncDispatcher.php:235)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Bookster – WordPress Appointment Booking Plugin Attack Surface

Entry Points5
Unprotected2

AJAX Handlers 2

authwp_ajax_bookster_reload_noncesrc\Engine\Ajax.php:14
noprivwp_ajax_bookster_reload_noncesrc\Engine\Ajax.php:15

Shortcodes 3

[bookster_booking_button] src\Engine\FEBlocks\BookingButtonShortcode.php:20
[bookster_booking_form] src\Engine\FEBlocks\BookingFormShortcode.php:20
[bookster_customer_dashboard] src\Engine\FEBlocks\CustomerDashboardShortcode.php:20
WordPress Hooks 57
actionadmin_initbookster.php:30
actioninitbookster.php:46
actionadmin_noticesbookster.php:79
actionadmin_noticesbookster.php:97
actionadmin_initbookster.php:113
actionplugins_loadedbookster.php:123
actionwpmu_new_blogsrc\Engine\ActDeact.php:28
actionadmin_initsrc\Engine\ActDeact.php:29
filterbookster_agent_capabilitiessrc\Engine\ActDeact.php:30
filterdisplay_post_statessrc\Engine\Admin.php:21
actionadmin_noticessrc\Engine\AdminNotice.php:29
actionadmin_noticessrc\Engine\AdminNotice.php:34
actionprofile_updatesrc\Engine\Auth.php:25
filterwoocommerce_disable_admin_barsrc\Engine\Auth.php:28
filterwoocommerce_prevent_admin_accesssrc\Engine\Auth.php:29
actionadmin_bar_menusrc\Engine\BEPages\AgentPage.php:29
actionadmin_menusrc\Engine\BEPages\AgentPage.php:32
actionadmin_enqueue_scriptssrc\Engine\BEPages\AgentPage.php:33
actionadmin_bar_menusrc\Engine\BEPages\ManagerPage.php:30
actionadmin_menusrc\Engine\BEPages\ManagerPage.php:33
actionadmin_enqueue_scriptssrc\Engine\BEPages\ManagerPage.php:34
actionadmin_menusrc\Engine\BEPages\SetupWizardPage.php:32
actionadmin_enqueue_scriptssrc\Engine\BEPages\SetupWizardPage.php:33
actioncurrent_screensrc\Engine\BEPages\SetupWizardPage.php:34
filterbookster_validate_booking_inputsrc\Engine\Booking\BookingLogic.php:25
actioninitsrc\Engine\FEBlocks\BookingButtonBlock.php:19
actionwp_footersrc\Engine\FEBlocks\BookingButtonBlock.php:20
filterbookster_module_handlessrc\Engine\FEBlocks\BookingButtonBlock.php:21
actioninitsrc\Engine\FEBlocks\BookingFormBlock.php:21
actionwp_footersrc\Engine\FEBlocks\BookingFormBlock.php:22
filterbookster_module_handlessrc\Engine\FEBlocks\BookingFormBlock.php:23
actioninitsrc\Engine\FEBlocks\CustomerDashboardBlock.php:21
actionwp_footersrc\Engine\FEBlocks\CustomerDashboardBlock.php:22
filterbookster_module_handlessrc\Engine\FEBlocks\CustomerDashboardBlock.php:23
actionbookster_request_booking_successsrc\Engine\Intergration\EmailNotification.php:23
actionbookster_manager_create_appointmentsrc\Engine\Intergration\EmailNotification.php:24
actionbookster_manager_update_appointmentsrc\Engine\Intergration\EmailNotification.php:25
actionbookster_request_booking_successsrc\Engine\Intergration\InAppNotification.php:27
actionbookster_manager_create_appointmentsrc\Engine\Intergration\InAppNotification.php:28
actionbookster_agent_create_appointmentsrc\Engine\Intergration\InAppNotification.php:29
actionbookster_manager_update_appointmentsrc\Engine\Intergration\InAppNotification.php:30
actionbookster_manager_delete_appointmentsrc\Engine\Intergration\InAppNotification.php:32
actionbookster_license_expiring_soonsrc\Engine\Intergration\InAppNotification.php:36
actionbookster_license_expiredsrc\Engine\Intergration\InAppNotification.php:37
filterscript_loader_tagsrc\Engine\Register\RegisterFacade.php:20
actioninitsrc\Engine\Register\RegisterFacade.php:22
filterpre_load_script_translationssrc\Engine\Register\RegisterFacade.php:23
actioninitsrc\Engine\Register\RegisterProd.php:13
actionrest_api_initsrc\Engine\RestAPI.php:28
filtercron_schedulessrc\Engine\Tasks\RegisterTasks.php:14
filterpre_set_site_transient_update_pluginssrc\Features\License\EDD_SL_Plugin_Updater.php:68
filterplugins_apisrc\Features\License\EDD_SL_Plugin_Updater.php:69
actionafter_plugin_rowsrc\Features\License\EDD_SL_Plugin_Updater.php:70
actionadmin_initsrc\Features\License\EDD_SL_Plugin_Updater.php:71
actioninitsrc\Features\License\LicenseHandler.php:50
actionshutdownsrc\Features\Tasks\Dispatcher\AsyncDispatcher.php:20
filterupgrader_package_optionssrc\Services\AddonsService.php:518
Maintenance & Trust

Bookster – WordPress Appointment Booking Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 10, 2026
PHP min version7.4
Downloads10K

Community Trust

Rating100/100
Number of ratings7
Active installs200
Alternatives

Bookster – WordPress Appointment Booking Plugin Alternatives

Appointment Bookings for Zoom GoogleMeet and more – Wappointment

Appointment Bookings for Zoom GoogleMeet and more – Wappointment

wappointment

C
69

Get clients to quickly book a meeting with you by Zoom, GoogleMeet, phone or at your office

2K 1 unpatched
Cal.com

Cal.com

cal-com

A
99

Embed Cal.com booking calendar in WordPress with custom UI and admin widget support.

1K 1 CVE
Ultimate Appointment Booking & Scheduling

Ultimate Appointment Booking & Scheduling

ultimate-appointment-scheduling

A
100

Appointment booking calendar and scheduling plugin that lets you set up different services, service providers, locations and availability

90 1 CVE
3veta Booking Page for WordPress

3veta Booking Page for WordPress

3veta

A
85

3veta Booking Page for WordPress allows you to embed your 3veta booking page to your WordPress website in a simple and easy way.

10 No CVEs
Appointment scheduling and Booking Manager

Appointment scheduling and Booking Manager

appointment-scheduling-and-booking-manager

A
85

Offer self-service online appointment scheduling by BuddyPress Members, and get more appointments in less time.

10 No CVEs
Developer Profile

Bookster – WordPress Appointment Booking Plugin Developer Profile

Bookster

6 plugins · 260 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
19 days
View full developer profile
Detection Fingerprints

How We Detect Bookster – WordPress Appointment Booking Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/bookster/assets/css/admin-hidden.css/wp-content/plugins/bookster/assets/css/bookster.css/wp-content/plugins/bookster/assets/css/bookster-font.css/wp-content/plugins/bookster/assets/css/reset-theme.css/wp-content/plugins/bookster/assets/css/animate.min.css/wp-content/plugins/bookster/assets/js/page-manager.js/wp-content/plugins/bookster/assets/js/page-agent.js/wp-content/plugins/bookster/assets/js/page-setup-wizard.js+1 more
Script Paths
/wp-content/plugins/bookster/assets/js/page-manager.js/wp-content/plugins/bookster/assets/js/page-agent.js/wp-content/plugins/bookster/assets/js/page-setup-wizard.js/wp-content/plugins/bookster/assets/js/block-booking-button.js
Version Parameters
bookster.css?ver=admin-hidden.css?ver=bookster-font.css?ver=reset-theme.css?ver=animate.min.css?ver=page-manager.js?ver=page-agent.js?ver=page-setup-wizard.js?ver=block-booking-button.js?ver=

HTML / DOM Fingerprints

CSS Classes
bookster-main-wrapperbookster-custom-inputbookster-booking-formbookster-date-picker-wrapperbookster-time-picker-wrapperbookster-appointment-itembookster-service-itembookster-staff-item+3 more
HTML Comments
<!-- Bookster: Generated JS Variables --><!-- Bookster: Widget Wrapper -->
Data Attributes
data-bookster-preview-apptdata-bookster-booking-iddata-bookster-service-iddata-bookster-staff-iddata-bookster-datedata-bookster-time
JS Globals
window.booksterPreviewApptBooksterPublicDataBooksterManagerDataBooksterMetaDataBooksterAddons
REST Endpoints
/wp-json/bookster/v1/settings/wp-json/bookster/v1/services/wp-json/bookster/v1/staff/wp-json/bookster/v1/appointments/wp-json/bookster/v1/bookings/wp-json/bookster/v1/payment
Shortcode Output
[bookster_booking_form][bookster_appointment_list][bookster_staff_directory][bookster_service_listing]
FAQ

Frequently Asked Questions about Bookster – WordPress Appointment Booking Plugin