Appointment Booking Calendar Security & Risk Analysis

wordpress.org/plugins/creavi-booking-service

Easy appointment booking system for any service. Create services, manage availability, and accept bookings with a simple booking calendar.

10 active installs v1.4.1 PHP 7.4+ WP 6.0+ Updated Apr 16, 2026
appointmentsbookingbooking-calendarbookingstime-slot
99
A · Safe
CVEs total1
Unpatched0
Last CVEJun 18, 2026
Download
Safety Verdict

Is Appointment Booking Calendar Safe to Use in 2026?

Generally Safe

Score 99/100

Appointment Booking Calendar has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Jun 18, 2026Updated 2mo ago
Risk Assessment

The Creavi Booking Service plugin version 1.2.1 exhibits a generally good security posture based on the static analysis provided. The plugin demonstrates strong adherence to security best practices by utilizing prepared statements for all SQL queries and implementing nonce and capability checks for all identified entry points, including AJAX handlers and cron events. The absence of dangerous functions and external HTTP requests with potential for injection is also a positive indicator. However, a notable concern arises from the taint analysis, which identified one flow with unsanitized paths. While this did not result in a critical or high severity finding, it represents a potential vector for certain types of vulnerabilities if not properly handled. The plugin's vulnerability history is clean, with no recorded CVEs, which is highly encouraging and suggests a commitment to security by the developers. Despite the single unsanitized path flow, the overall security of this plugin appears robust due to its comprehensive use of security checks and the lack of historical vulnerabilities.

Key Concerns

  • Flows with unsanitized paths detected
  • Low percentage of properly escaped output
Vulnerabilities
1 published

Appointment Booking Calendar Security Vulnerabilities

CVEs by Year

1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-1856medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Appointment Booking Calendar <= 1.4.4 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Booking Field Label

Jun 18, 2026 Patched in 1.4.5 (1d)
Version History

Appointment Booking Calendar Release Timeline

v1.4.1Current1 CVE
v1.4.01 CVE
v1.3.11 CVE
v1.3.01 CVE
v1.2.11 CVE
v1.2.01 CVE
v1.1.91 CVE
v1.1.81 CVE
v1.1.71 CVE
v1.1.61 CVE
v1.1.51 CVE
v1.1.41 CVE
v1.1.31 CVE
v1.1.21 CVE
v1.1.11 CVE
v1.1.01 CVE
v1.0.171 CVE
v1.0.161 CVE
v1.0.151 CVE
v1.0.141 CVE
Code Analysis
Analyzed Mar 17, 2026

Appointment Booking Calendar Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
136
270 escaped
Nonce Checks
18
Capability Checks
14
File Operations
2
External Requests
14
Bundled Libraries
0

Output Escaping

67% escaped406 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths
<cbs-gcal-remote> (includes\cbs-gcal-remote.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Appointment Booking Calendar Attack Surface

Entry Points8
Unprotected0

AJAX Handlers 6

authwp_ajax_creavibc_create_bookingincludes\ajax-handlers.php:410
noprivwp_ajax_creavibc_create_bookingincludes\ajax-handlers.php:411
authwp_ajax_creavibc_get_booked_slotsincludes\ajax-handlers.php:1012
noprivwp_ajax_creavibc_get_booked_slotsincludes\ajax-handlers.php:1013
authwp_ajax_creavibc_save_deactivation_feedbackincludes\deactivation-feedback.php:234
authwp_ajax_cbs_admin_get_busy_slotsincludes\gcal-freebusy.php:234

Shortcodes 2

[creavibc_booking_button] includes\functions.php:14
[creavibc_booking_inline] includes\render-booking-inline.php:14
WordPress Hooks 38
actionplugins_loadedcreavi-booking-service.php:21
actionwp_enqueue_scriptscreavi-booking-service.php:62
actionadmin_menucreavi-booking-service.php:126
actiontransition_post_statusincludes\activation-metrics.php:167
actionadmin_initincludes\activation-redirect.php:9
filterenter_title_hereincludes\admin.php:7
actionedit_form_after_titleincludes\admin.php:19
actionadmin_headincludes\admin.php:66
actionadmin_enqueue_scriptsincludes\admin.php:108
actionedit_form_topincludes\admin.php:287
filterdefault_contentincludes\admin.php:296
actionpost_submitbox_misc_actionsincludes\admin.php:325
actionwp_mail_failedincludes\ajax-handlers.php:274
actionadmin_menuincludes\cbs-gcal-remote.php:135
actionadmin_post_creavibc_gcal_disconnectincludes\cbs-gcal-remote.php:183
actionadmin_post_creavibc_gcal_disconnect_serviceincludes\cbs-gcal-remote.php:258
actionadmin_initincludes\cbs-gcal-remote.php:289
actionadmin_post_creavibc_gcal_selftestincludes\cbs-gcal-remote.php:784
actionadmin_enqueue_scriptsincludes\deactivation-feedback.php:96
actionadmin_footerincludes\deactivation-feedback.php:152
actionwp_footerincludes\functions.php:36
actionwp_enqueue_scriptsincludes\functions.php:236
actionwp_footerincludes\functions.php:265
actionadd_meta_boxesincludes\meta-boxes.php:4
filterget_user_option_meta-box-order_creavibc_serviceincludes\meta-boxes.php:110
actioninitincludes\meta-boxes.php:140
filtermanage_creavibc_service_posts_columnsincludes\meta-boxes.php:1354
actionmanage_creavibc_service_posts_custom_columnincludes\meta-boxes.php:1360
actionadmin_initincludes\placeholders.php:71
actiondeleted_post_metaincludes\placeholders.php:82
actionupdated_post_metaincludes\placeholders.php:100
actionsave_postincludes\placeholders.php:121
actioninitincludes\post-types.php:4
filtercron_schedulesincludes\reminders.php:15
actioninitincludes\reminders.php:26
actioncreavibc_run_remindersincludes\reminders.php:32
actionsave_post_creavibc_serviceincludes\save-service.php:4
actionbefore_delete_postincludes\save-service.php:440

Scheduled Events 1

creavibc_run_reminders
Maintenance & Trust

Appointment Booking Calendar Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedApr 16, 2026
PHP min version7.4
Downloads2K

Community Trust

Rating100/100
Number of ratings4
Active installs10
Developer Profile

Appointment Booking Calendar Developer Profile

Creavi

2 plugins · 310 total installs

100
trust score
Avg Security Score
100/100
Avg Patch Time
1 days
View full developer profile
Detection Fingerprints

How We Detect Appointment Booking Calendar

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/creavi-booking-service/assets/css/style.css/wp-content/plugins/creavi-booking-service/assets/vendor/flatpickr/flatpickr.min.css/wp-content/plugins/creavi-booking-service/assets/vendor/flatpickr/l10n/fr.js/wp-content/plugins/creavi-booking-service/assets/vendor/flatpickr/l10n/da.js/wp-content/plugins/creavi-booking-service/assets/vendor/luxon/luxon.min.js/wp-content/plugins/creavi-booking-service/assets/vendor/flatpickr/flatpickr.min.js
Script Paths
/wp-content/plugins/creavi-booking-service/assets/vendor/luxon/luxon.min.js/wp-content/plugins/creavi-booking-service/assets/vendor/flatpickr/flatpickr.min.js/wp-content/plugins/creavi-booking-service/assets/vendor/flatpickr/l10n/fr.js/wp-content/plugins/creavi-booking-service/assets/vendor/flatpickr/l10n/da.js
Version Parameters
creavi-booking-service/assets/css/style.css?ver=creavi-booking-service/assets/vendor/flatpickr/flatpickr.min.css?ver=creavi-booking-service/assets/vendor/flatpickr/flatpickr.min.js?ver=creavi-booking-service/assets/vendor/flatpickr/l10n/fr.js?ver=creavi-booking-service/assets/vendor/flatpickr/l10n/da.js?ver=creavi-booking-service/assets/vendor/luxon/luxon.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
creavibc-basics-boxcreavibc-title-hostcreavibc-editor-host
HTML Comments
<!-- Service Title (metabox style) --><!-- Move WP title field (#titlediv) here --><!-- Service Description (metabox style) --><!-- Move WP editor (#postdivrich) here -->
Data Attributes
id="creavibc_service_title_box"id="creavibc_service_desc_box"id="creavibc-title-host"id="creavibc-editor-host"
FAQ

Frequently Asked Questions about Appointment Booking Calendar