Cal.com Security & Risk Analysis
wordpress.org/plugins/cal-comEmbed Cal.com booking calendar in WordPress with custom UI and admin widget support.
Is Cal.com Safe to Use in 2026?
Generally Safe
Score 99/100Cal.com has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.
The "cal-com" v1.0.0 plugin exhibits a mixed security posture. On the positive side, the static analysis reveals strong adherence to secure coding practices. There are no dangerous functions, all SQL queries are prepared, and all output is properly escaped. The absence of file operations, external HTTP requests, and apparent taint flows with unsanitized paths is also reassuring. However, the plugin does have one known unpatched CVE of medium severity, which is a significant concern. Additionally, while the attack surface is small, the lack of explicit capability checks and nonce checks on the single shortcode could potentially be leveraged if an attacker can control user input rendered by that shortcode in a vulnerable context. The presence of a past Cross-site Scripting vulnerability, even if patched in earlier versions, suggests that input sanitization and output escaping need continuous vigilance. The fact that the last vulnerability was dated in the future (2025-03-31) is an anomaly that might indicate a data error or a prediction, but the existing medium unpatched CVE is a concrete risk.
Key Concerns
- Unpatched medium severity CVE
- Missing capability checks on shortcode
- Missing nonce checks on shortcode
Cal.com Security Vulnerabilities
CVEs by Year
Severity Breakdown
1 total CVE
Cal.com <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Cal.com Code Analysis
Output Escaping
Cal.com Attack Surface
Shortcodes 1
WordPress Hooks 1
Maintenance & Trust
Cal.com Maintenance & Trust
Maintenance Signals
Community Trust
Cal.com Alternatives
Appointment Bookings for Zoom GoogleMeet and more – Wappointment
wappointment
Get clients to quickly book a meeting with you by Zoom, GoogleMeet, phone or at your office
Ultimate Appointment Booking & Scheduling
ultimate-appointment-scheduling
Appointment booking calendar and scheduling plugin that lets you set up different services, service providers, locations and availability
3veta Booking Page for WordPress
3veta
3veta Booking Page for WordPress allows you to embed your 3veta booking page to your WordPress website in a simple and easy way.
Appointment scheduling and Booking Manager
appointment-scheduling-and-booking-manager
Offer self-service online appointment scheduling by BuddyPress Members, and get more appointments in less time.
Optix calendar
optix-calendar
Integra nel tuo sito web il calendario di Optix per permettere ai tuoi clienti di prenotare gli appuntamenti in pochi click!
Cal.com Developer Profile
1 plugin · 1K total installs
How We Detect Cal.com
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/cal-com/assets/js/embed.js/wp-content/plugins/cal-com/assets/css/style.css/wp-content/plugins/cal-com/assets/js/embed.js/wp-content/plugins/cal-com/assets/css/style.csscal-com/assets/js/embed.js?ver=cal-com/assets/css/style.css?ver=HTML / DOM Fingerprints
data-cal-linkCal<span id="calcom-embed-link"<div id="calcom-embed"></div>