Does CP Appointment Calendar have any unpatched vulnerabilities?

No. All known vulnerabilities in CP Appointment Calendar have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is CP Appointment Calendar compatible with WordPress 6.9.4?

According to WordPress.org data, CP Appointment Calendar 1.1.40 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is CP Appointment Calendar updated?

CP Appointment Calendar was last updated on Dec 26, 2025. Frequent updates are generally a positive security signal.

What is CP Appointment Calendar's security score?

CP Appointment Calendar has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

CP Appointment Calendar Security & Risk Analysis

wordpress.org/plugins/cp-appointment-calendar

CP Appointment Calendar allows you to define "available" time slots that can be booked by the website visitors.

100 active installs v1.1.40 PHP + WP 3.0.5+ Updated Dec 26, 2025

appointmentsbookingscalendarpaymentspaypal

A · Safe

CVEs total1

Unpatched0

Last CVEFeb 12, 2015

Plugin page Download

Safety Verdict

Is CP Appointment Calendar Safe to Use in 2026?

Generally Safe

Score 98/100

CP Appointment Calendar has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Feb 12, 2015Updated 3mo ago

Risk Assessment

The "cp-appointment-calendar" plugin version 1.1.40 presents a mixed security posture. While it demonstrates some good practices like utilizing prepared statements for a majority of its SQL queries and performing capability checks, significant concerns remain. The presence of an unprotected AJAX handler is a critical vulnerability, creating a direct entry point for potential attacks without any authentication or authorization checks. This, combined with a high percentage of improperly escaped outputs and a taint flow with unsanitized paths, indicates a notable risk of data manipulation or leakage.

The plugin's vulnerability history, with a past critical SQL injection CVE, reinforces the concern around its handling of user input and database interactions. Although there are currently no unpatched CVEs, the historical critical vulnerability suggests a recurring pattern of issues that require careful attention. The limited attack surface is a positive, but the single unprotected AJAX handler is a severe weakness. In conclusion, while not riddled with vulnerabilities, the identified unprotected entry point, output escaping issues, and historical critical vulnerability warrant a cautious approach to its use.

Key Concerns

Unprotected AJAX handler
Taint flow with unsanitized paths (High severity)
Improperly escaped outputs (62% proper)
Past critical CVE (SQL Injection)

Vulnerabilities

CP Appointment Calendar Security Vulnerabilities

CVEs by Year

1 CVE in 2015

2015

Patched Has unpatched

Severity Breakdown

Critical

1 total CVE

CVE-2015-10099critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CP Appointment Calendar <= 1.1.5 - Unauthenticated SQL Injection

Feb 12, 2015 Patched in 1.1.6 (3403d)

Code Analysis

Analyzed Mar 16, 2026

CP Appointment Calendar Code Analysis

Dangerous Functions

Raw SQL Queries

5 prepared

Unescaped Output

76 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

63% prepared8 total queries

Output Escaping

62% escaped123 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

6 flows1 with unsanitized paths

dex_appointments_check_IPN_verification (dex_appointments.php:327)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

CP Appointment Calendar Attack Surface

Entry Points1

Unprotected1

AJAX Handlers 1

authwp_ajax_cpappcal_feedbackcp-feedback.php:3

WordPress Hooks 13

actionadmin_enqueue_scriptscp-feedback.php:2

actionadmin_footercp-feedback.php:18

filterthe_contentdex_appointments.php:123

actionmedia_buttonsdex_appointments.php:152

actionadmin_enqueue_scriptsdex_appointments.php:153

actionadmin_menudex_appointments.php:154

actionadmin_initdex_appointments.php:155

actioninitdex_appointments.php:233

actioninitdex_appointments.php:325

actioninitdex_appointments.php:415

actioninitdex_appointments.php:416

actioninitdex_appointments.php:417

actioninitdex_appointments.php:418

Maintenance & Trust

CP Appointment Calendar Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 26, 2025

PHP min version

Downloads30K

Community Trust

Rating60/100

Number of ratings8

Active installs100

Alternatives

CP Appointment Calendar Alternatives

Events Manager – Calendar, Bookings, Tickets, and more!

events-manager

Events calendar with bookings, scheduling, appointments, event registration, tickets, recurring events, and venue management.

70K 34 CVEs

Booking Calendar

booking

Original "Booking Calendar" plugin. Easily manage full-day bookings, time-slot appointments, or events in our all-in-one, outstanding booking system.

50K 28 CVEs

Booking Ultra Pro Appointments Booking Calendar Plugin

booking-ultra-pro

Powerful Booking Plugin with amazing dashboard to manage all of your appointments & bookings online.

500 1 unpatched

Bookster PayPal Addon

bookster-paypal

100

Accept PayPal online payments at Bookster checkout

10 No CVEs

CP Reservation Calendar

cp-reservation-calendar

CP Reservation Calendar is a booking calendar that allows selecting dates - ex: check-in and check-out dates - for a reservation.

10 1 CVE

Developer Profile

CP Appointment Calendar Developer Profile

codepeople

34 plugins · 89K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

964 days

View full developer profile

Detection Fingerprints

How We Detect CP Appointment Calendar

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/cp-appointment-calendar/css/dex_appointments.css/wp-content/plugins/cp-appointment-calendar/css/jquery-ui.css/wp-content/plugins/cp-appointment-calendar/css/jquery-ui.theme.css/wp-content/plugins/cp-appointment-calendar/js/dex_appointments.js/wp-content/plugins/cp-appointment-calendar/js/dex_scheduler.js/wp-content/plugins/cp-appointment-calendar/js/jquery.min.js/wp-content/plugins/cp-appointment-calendar/js/jquery-ui.min.js/wp-content/plugins/cp-appointment-calendar/js/dex_appointments_frontend.js

Script Paths

/wp-content/plugins/cp-appointment-calendar/js/dex_appointments.js/wp-content/plugins/cp-appointment-calendar/js/dex_scheduler.js/wp-content/plugins/cp-appointment-calendar/js/dex_appointments_frontend.js

Version Parameters

cp-appointment-calendar/css/dex_appointments.css?ver=cp-appointment-calendar/css/jquery-ui.css?ver=cp-appointment-calendar/css/jquery-ui.theme.css?ver=cp-appointment-calendar/js/dex_appointments.js?ver=cp-appointment-calendar/js/dex_scheduler.js?ver=cp-appointment-calendar/js/jquery.min.js?ver=cp-appointment-calendar/js/jquery-ui.min.js?ver=cp-appointment-calendar/js/dex_appointments_frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes

dex-appointments-wrap

Data Attributes

data-dextimeformatdata-dexappointmentid

JS Globals

dex_appointments_plugin_obj

Shortcode Output

[APPOINTMENT_CALENDAR_FORM_WILL_APPEAR_HERE]

FAQ