Does Easy Appointments have any unpatched vulnerabilities?

No. All known vulnerabilities in Easy Appointments have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Easy Appointments compatible with WordPress 6.9.4?

According to WordPress.org data, Easy Appointments 3.12.21 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Easy Appointments compatible with PHP 5.3+?

Easy Appointments requires PHP 5.3 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Easy Appointments updated?

Easy Appointments was last updated on Feb 24, 2026. Frequent updates are generally a positive security signal.

What is Easy Appointments's security score?

Easy Appointments has a WP-Safety security score of 96/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Easy Appointments Security & Risk Analysis

wordpress.org/plugins/easy-appointments

Add Booking system to your WordPress site and manage Appointments with ease. Extremely flexible time management and custom email notifications.

10K active installs v3.12.21 PHP 5.3+ WP 3.7+ Updated Feb 24, 2026

appointmentappointmentsbookingcalendarreservation

A · Safe

CVEs total7

Unpatched0

Last CVESep 9, 2025

Plugin page Download

Safety Verdict

Is Easy Appointments Safe to Use in 2026?

Generally Safe

Score 96/100

Easy Appointments has a strong security track record. Known vulnerabilities have been patched promptly.

7 known CVEsLast CVE: Sep 9, 2025Updated 1mo ago

Risk Assessment

The "easy-appointments" plugin version 3.12.21 presents a mixed security posture. While it demonstrates good practices in areas like SQL query sanitization (89% prepared statements) and output escaping (84%), significant concerns arise from its attack surface and taint analysis.

A substantial portion of its entry points, specifically 40 out of 58, are unprotected by authentication or authorization checks. This includes 38 AJAX handlers and 2 REST API routes that lack proper permission callbacks. The taint analysis reveals 13 high-severity flows with unsanitized paths, indicating a direct risk of malicious input being processed without adequate validation.

The plugin's historical vulnerability record, with 7 known medium-severity CVEs, albeit all currently patched and the last occurring in the future, suggests a pattern of past security weaknesses. The common vulnerability types of code injection and cross-site scripting are particularly worrying given the taint analysis findings. While the lack of critical/high unpatched CVEs is positive, the existing attack surface and taint issues, coupled with past vulnerabilities, necessitate caution.

Key Concerns

Large attack surface without auth checks
High severity taint flows with unsanitized paths
AJAX handlers without auth checks
REST API routes without permission callbacks
13% of SQL queries not using prepared statements
16% of outputs not properly escaped
7 medium severity CVEs historically

Vulnerabilities

Easy Appointments Security Vulnerabilities

CVEs by Year

1 CVE in 2017

2017

1 CVE in 2022

2022

2 CVEs in 2023

2023

2 CVEs in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

7 total CVEs

CVE-2025-49398medium · 6.5Improper Control of Generation of Code ('Code Injection')

Easy Appointments <= 3.12.14 - Unauthenticated Arbitrary Shortcode Execution

Sep 9, 2025 Patched in 3.12.14.1 (65d)

CVE-2024-2842medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy Appointments <= 3.11.18 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 28, 2024 Patched in 3.11.19 (1d)

CVE-2024-2844medium · 4.3Missing Authorization

Easy Appointments <= 3.11.18 - Insufficient Authorization

Mar 28, 2024 Patched in 3.11.19 (1d)

CVE-2022-36424medium · 6.3Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy Appointments <= 3.11.9 - Cross-Site Request Forgery via multiple AJAX actions

May 5, 2023 Patched in 3.11.10 (263d)

CVE-2023-30748medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy Appointments <= 3.11.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Apr 14, 2023 Patched in 3.11.1 (284d)

CVE-2022-4668medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy Appointments <= 3.10.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Dec 27, 2022 Patched in 3.11.0 (392d)

CVE-2017-15812medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy Appointments < 1.12.0 - Cross-Site Scripting

Oct 16, 2017 Patched in 1.12.0 (2290d)

Code Analysis

Analyzed Mar 16, 2026

Easy Appointments Code Analysis

Dangerous Functions

Raw SQL Queries

133 prepared

Unescaped Output

320 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2jQuery

SQL Query Safety

89% prepared149 total queries

Output Escaping

84% escaped380 total outputs

Data Flows

13 unsanitized

Data Flow Analysis

20 flows13 with unsanitized paths

<admin> (src\admin.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

40 unprotected

Easy Appointments Attack Surface

Entry Points58

Unprotected40

AJAX Handlers 52

authwp_ajax_easy_ea_newsletter_submitsrc\admin.php:1413

authwp_ajax_easy_ea_newsletter_hide_formsrc\admin.php:1428

noprivwp_ajax_ea_next_stepsrc\ajax.php:87

authwp_ajax_ea_next_stepsrc\ajax.php:88

noprivwp_ajax_ea_date_selectedsrc\ajax.php:90

authwp_ajax_ea_date_selectedsrc\ajax.php:91

authwp_ajax_ea_res_appointmentsrc\ajax.php:93

noprivwp_ajax_ea_res_appointmentsrc\ajax.php:94

authwp_ajax_ea_final_appointmentsrc\ajax.php:96

noprivwp_ajax_ea_final_appointmentsrc\ajax.php:97

authwp_ajax_ea_cancel_appointmentsrc\ajax.php:99

noprivwp_ajax_ea_cancel_appointmentsrc\ajax.php:100

authwp_ajax_ea_month_statussrc\ajax.php:102

noprivwp_ajax_ea_month_statussrc\ajax.php:103

authwp_ajax_ea_search_customerssrc\ajax.php:104

authwp_ajax_ea_get_customer_detailsrc\ajax.php:105

authwp_ajax_ea_update_customer_datasrc\ajax.php:106

authwp_ajax_ea_save_custom_columnssrc\ajax.php:119

authwp_ajax_ea_errorssrc\ajax.php:121

authwp_ajax_ea_test_wp_mailsrc\ajax.php:123

authwp_ajax_ea_reset_pluginsrc\ajax.php:124

authwp_ajax_ea_appointmentssrc\ajax.php:127

authwp_ajax_ea_appointmentsrc\ajax.php:130

authwp_ajax_ea_servicessrc\ajax.php:133

authwp_ajax_ea_servicesrc\ajax.php:136

authwp_ajax_ea_update_ordersrc\ajax.php:139

authwp_ajax_ea_locationssrc\ajax.php:142

authwp_ajax_ea_locationsrc\ajax.php:145

authwp_ajax_ea_workersrc\ajax.php:148

authwp_ajax_ea_is_pro_existsrc\ajax.php:149

authwp_ajax_ea_workerssrc\ajax.php:154

authwp_ajax_ea_connectionsrc\ajax.php:157

authwp_ajax_ea_connectionssrc\ajax.php:160

authwp_ajax_ea_open_timessrc\ajax.php:163

authwp_ajax_ea_settingsrc\ajax.php:166

authwp_ajax_ea_settingssrc\ajax.php:169

authwp_ajax_ea_reportsrc\ajax.php:172

authwp_ajax_ea_fieldssrc\ajax.php:175

authwp_ajax_ea_fieldsrc\ajax.php:176

authwp_ajax_ea_exportsrc\ajax.php:177

authwp_ajax_ea_default_templatesrc\ajax.php:178

authwp_ajax_ea_send_query_messagesrc\ajax.php:179

authwp_ajax_cancel_selected_appointmentssrc\ajax.php:180

authwp_ajax_delete_selected_appointmentsrc\ajax.php:181

authwp_ajax_ea_get_customers_ajaxsrc\ajax.php:183

authwp_ajax_ea_update_customer_ajaxsrc\ajax.php:184

authwp_ajax_ea_insert_customer_ajaxsrc\ajax.php:185

authwp_ajax_ea_get_customer_detail_ajaxsrc\ajax.php:186

authwp_ajax_ea_delete_customersrc\ajax.php:187

authwp_ajax_ea_delete_multiple_connectionssrc\ajax.php:188

authwp_ajax_ea_full_exportsrc\ajax.php:190

authwp_ajax_ea_full_importsrc\ajax.php:191

REST API Routes 3

GET/wp-json/wp/v2/eablocks/get_ea_options/ea-blocks\ea-blocks.php:74

GET/wp-json/wp/v2/eablocks/ea_appointments/ea-blocks\ea-blocks.php:187

POST/wp-json/wp/v2/eablocks/render_shortcodeea-blocks\ea-blocks.php:307

Shortcodes 3

[ea_standard] src\frontend.php:60

[ea_bootstrap] src\frontend.php:63

[ea_full_calendar] src\shortcodes\fullcalendar.php:55

WordPress Hooks 31

actioninitea-blocks\ea-blocks.php:34

actionrest_api_initea-blocks\ea-blocks.php:73

actionrest_api_initea-blocks\ea-blocks.php:186

actionrest_api_initea-blocks\ea-blocks.php:306

actionplugins_loadedmain.php:95

actioneasyapp_hourly_eventmain.php:98

actionea_daily_expire_appointmentsmain.php:100

actionea_gdpr_auto_deletemain.php:102

actioninitmain.php:105

actionrest_api_initmain.php:107

actionadmin_menusrc\admin.php:76

actionadmin_menusrc\admin.php:77

actionadmin_initsrc\admin.php:80

actionadmin_initsrc\admin.php:81

actioninitsrc\ajax.php:81

actioneasy_ea_new_appsrc\ajax.php:109

actionwp_enqueue_scriptssrc\frontend.php:56

actioneasy_ea_user_email_notificationsrc\mail.php:69

actioneasy_ea_repeat_appointment_mail_notificationsrc\mail.php:70

actioneasy_ea_admin_email_notificationsrc\mail.php:71

actionwpsrc\mail.php:74

filterea_format_notification_paramssrc\mail.php:77

filtereasy_ea_admin_mail_templatesrc\mail.php:80

filtereasy_ea_customer_mail_templatesrc\mail.php:81

actionwp_mail_failedsrc\mail.php:978

actioneasy_ea_update_optionssrc\options.php:29

filtereasy-appointments-user-ajax-capabilitiessrc\options.php:30

filtereasy-appointments-user-menu-capabilitiessrc\options.php:31

filtereasy_ea_form_rowssrc\services\UserFieldMapper.php:9

actionwp_enqueue_scriptssrc\shortcodes\fullcalendar.php:51

filtereasy_ea_calendar_public_accesssrc\shortcodes\fullcalendar.php:61

Scheduled Events 3

easyapp_hourly_event

ea_daily_expire_appointments

ea_gdpr_auto_delete

Maintenance & Trust

Easy Appointments Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 24, 2026

PHP min version5.3

Downloads1.8M

Community Trust

Rating86/100

Number of ratings129

Active installs10K

Alternatives

Easy Appointments Alternatives

SimplyBook.me – Booking and reservations calendar

simplybook

100

Simply add a booking calendar to your site to schedule bookings, reservations, appointments and to collect payments.

20K No CVEs

Pinpoint Booking System – Version 2

booking-system

Book anything, anytime, anywhere.

3K 13 CVEs

SuperSaaS – online appointment scheduling

supersaas-appointment-scheduling

SuperSaaS is a flexible appointment scheduling system that works with many different businesses. The basic version is free.

1K 2 CVEs

Booking Ultra Pro Appointments Booking Calendar Plugin

booking-ultra-pro

Powerful Booking Plugin with amazing dashboard to manage all of your appointments & bookings online.

500 1 unpatched

Easy Booking Calendar for WooCommerce

easy-booking-calendar

100

Turn any product into a bookable item with an easy-to-use calendar. Supports date ranges, automatic price calculations, and prevents double bookings.

40 No CVEs

Developer Profile

Easy Appointments Developer Profile

Easy Appointments

1 plugin · 10K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

471 days

View full developer profile

Detection Fingerprints

How We Detect Easy Appointments

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/easy-appointments/css/style.css/wp-content/plugins/easy-appointments/css/bootstrap.min.css/wp-content/plugins/easy-appointments/css/fullcalendar.css/wp-content/plugins/easy-appointments/css/jquery.datetimepicker.css/wp-content/plugins/easy-appointments/css/bootstrap-theme.min.css/wp-content/plugins/easy-appointments/js/bootstrap.min.js/wp-content/plugins/easy-appointments/js/jquery.datetimepicker.full.js/wp-content/plugins/easy-appointments/js/easy-appointments.js+12 more

Version Parameters

/wp-content/plugins/easy-appointments/css/style.css?ver=/wp-content/plugins/easy-appointments/css/bootstrap.min.css?ver=/wp-content/plugins/easy-appointments/css/fullcalendar.css?ver=/wp-content/plugins/easy-appointments/css/jquery.datetimepicker.css?ver=/wp-content/plugins/easy-appointments/css/bootstrap-theme.min.css?ver=/wp-content/plugins/easy-appointments/js/bootstrap.min.js?ver=/wp-content/plugins/easy-appointments/js/jquery.datetimepicker.full.js?ver=/wp-content/plugins/easy-appointments/js/easy-appointments.js?ver=/wp-content/plugins/easy-appointments/js/fullcalendar.js?ver=/wp-content/plugins/easy-appointments/js/moment.js?ver=/wp-content/plugins/easy-appointments/js/appointments.js?ver=/wp-content/plugins/easy-appointments/js/appointments-frontend.js?ver=/wp-content/plugins/easy-appointments/js/appointments-admin.js?ver=/wp-content/plugins/easy-appointments/js/appointments-ajax.js?ver=/wp-content/plugins/easy-appointments/js/appointments-ajax-frontend.js?ver=/wp-content/plugins/easy-appointments/js/appointments-ajax-admin.js?ver=/wp-content/plugins/easy-appointments/js/appointments-fullcalendar.js?ver=/wp-content/plugins/easy-appointments/js/appointments-user-fields.js?ver=/wp-content/plugins/easy-appointments/js/appointments-calendar.js?ver=/wp-content/plugins/easy-appointments/js/appointments-calendar-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

ea-appointment-frontendea-appointment-appointmentsea-appointment-bookingea-appointment-calendarea-appointment-calendar-adminea-appointment-dateea-appointment-timeea-appointment-service+46 more

Data Attributes

data-ea-booking-iddata-ea-appointment-iddata-ea-appointment-datedata-ea-appointment-timedata-ea-appointment-service-iddata-ea-appointment-location-id+26 more

JS Globals

easy_appointments_paramseasy_appointments_frontend_paramseasy_appointments_admin_paramseasy_appointments_ajax_paramseasy_appointments_ajax_frontend_paramseasy_appointments_ajax_admin_params+4 more

REST Endpoints

/wp-json/easy-appointments/v1/appointments/wp-json/easy-appointments/v1/services/wp-json/easy-appointments/v1/locations/wp-json/easy-appointments/v1/providers/wp-json/easy-appointments/v1/settings

FAQ