Does Easy Appointments have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Easy Appointments compatible with WordPress 7.0?

According to WordPress.org data, Easy Appointments 3.12.24.1 has been tested up to WordPress 7.0. Check the plugin's changelog for the latest compatibility information.

Is Easy Appointments compatible with PHP 5.3+?

Easy Appointments requires PHP 5.3 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Easy Appointments updated?

Easy Appointments was last updated on Apr 16, 2026. Frequent updates are generally a positive security signal.

What is Easy Appointments's security score?

Easy Appointments has a WP-Safety security score of 92/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Easy Appointments Security & Risk Analysis

wordpress.org/plugins/easy-appointments

The easiest way to accept bookings on WordPress for free. Set up a beautiful appointment booking form for your business in minutes — no coding needed.

10K active installs v3.12.24.1 PHP 5.3+ WP 3.7+ Updated Apr 16, 2026

appointmentappointmentsbookingcalendarreservation

A · Safe

CVEs total9

Unpatched0

Last CVEApr 17, 2026

Plugin page Download

Safety Verdict

Is Easy Appointments Safe to Use in 2026?

Generally Safe

Score 92/100

Easy Appointments has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

9 known CVEsLast CVE: Apr 17, 2026Updated 1mo ago

Risk Assessment

The "easy-appointments" plugin version 3.12.21 presents a mixed security posture. While it demonstrates good practices in areas like SQL query sanitization (89% prepared statements) and output escaping (84%), significant concerns arise from its attack surface and taint analysis.

A substantial portion of its entry points, specifically 40 out of 58, are unprotected by authentication or authorization checks. This includes 38 AJAX handlers and 2 REST API routes that lack proper permission callbacks. The taint analysis reveals 13 high-severity flows with unsanitized paths, indicating a direct risk of malicious input being processed without adequate validation.

The plugin's historical vulnerability record, with 7 known medium-severity CVEs, albeit all currently patched and the last occurring in the future, suggests a pattern of past security weaknesses. The common vulnerability types of code injection and cross-site scripting are particularly worrying given the taint analysis findings. While the lack of critical/high unpatched CVEs is positive, the existing attack surface and taint issues, coupled with past vulnerabilities, necessitate caution.

Key Concerns

Large attack surface without auth checks
High severity taint flows with unsanitized paths
AJAX handlers without auth checks
REST API routes without permission callbacks
13% of SQL queries not using prepared statements
16% of outputs not properly escaped
7 medium severity CVEs historically

Vulnerabilities

9 published

Easy Appointments Security Vulnerabilities

CVEs by Year

1 CVE in 2017

2017

1 CVE in 2022

2022

2 CVEs in 2023

2023

2 CVEs in 2024

2024

1 CVE in 2025

2025

2 CVEs in 2026

2026

Patched Has unpatched

Severity Breakdown

High

Medium

9 total CVEs

CVE-2026-2262high · 7.5Exposure of Sensitive Information to an Unauthorized Actor

Easy Appointments <= 3.12.21 - Unauthenticated Sensitive Information Exposure via REST API

Apr 17, 2026 Patched in 3.12.22 (1d)

CVE-2026-39513medium · 5.3Missing Authorization

Easy Appointments <= 3.12.21 - Missing Authorization

Apr 13, 2026 Patched in 3.12.22 (9d)

CVE-2025-49398medium · 6.5Improper Control of Generation of Code ('Code Injection')

Easy Appointments <= 3.12.14 - Unauthenticated Arbitrary Shortcode Execution

Sep 9, 2025 Patched in 3.12.14.1 (65d)

CVE-2024-2842medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy Appointments <= 3.11.18 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 28, 2024 Patched in 3.11.19 (1d)

CVE-2024-2844medium · 4.3Missing Authorization

Easy Appointments <= 3.11.18 - Insufficient Authorization

Mar 28, 2024 Patched in 3.11.19 (1d)

CVE-2022-36424medium · 6.3Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy Appointments <= 3.11.9 - Cross-Site Request Forgery via multiple AJAX actions

May 5, 2023 Patched in 3.11.10 (263d)

CVE-2023-30748medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy Appointments <= 3.11.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Apr 14, 2023 Patched in 3.11.1 (284d)

CVE-2022-4668medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy Appointments <= 3.10.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Dec 27, 2022 Patched in 3.11.0 (392d)

CVE-2017-15812medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy Appointments < 1.12.0 - Cross-Site Scripting

Oct 16, 2017 Patched in 1.12.0 (2290d)

Version History

Easy Appointments Release Timeline

v3.12.24.1Current

v3.12.24

v3.12.23.1

v3.12.23

v3.12.22

v3.12.212 CVEs

CVE-2026-2262 CVE-2026-39513

v3.12.202 CVEs

CVE-2026-2262 CVE-2026-39513

v3.12.192 CVEs

CVE-2026-2262 CVE-2026-39513

v3.12.182 CVEs

CVE-2026-2262 CVE-2026-39513

v3.12.172 CVEs

CVE-2026-2262 CVE-2026-39513

v3.12.162 CVEs

CVE-2026-2262 CVE-2026-39513

v3.12.152 CVEs

CVE-2026-2262 CVE-2026-39513

v3.12.14.12 CVEs

CVE-2026-2262 CVE-2026-39513

v3.12.143 CVEs

CVE-2025-49398 CVE-2026-2262 CVE-2026-39513

v3.12.133 CVEs

CVE-2025-49398 CVE-2026-2262 CVE-2026-39513

v3.12.12.13 CVEs

CVE-2025-49398 CVE-2026-2262 CVE-2026-39513

v3.12.123 CVEs

CVE-2025-49398 CVE-2026-2262 CVE-2026-39513

v3.12.11.13 CVEs

CVE-2025-49398 CVE-2026-2262 CVE-2026-39513

v3.12.113 CVEs

CVE-2025-49398 CVE-2026-2262 CVE-2026-39513

v3.12.103 CVEs

CVE-2025-49398 CVE-2026-2262 CVE-2026-39513

Code Analysis

Analyzed Mar 16, 2026

Easy Appointments Code Analysis

Dangerous Functions

Raw SQL Queries

133 prepared

Unescaped Output

320 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2jQuery

SQL Query Safety

89% prepared149 total queries

Output Escaping

84% escaped380 total outputs

Data Flows · Security

13 unsanitized

Data Flow Analysis

20 flows13 with unsanitized paths

<admin> (src\admin.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

40 unprotected

Easy Appointments Attack Surface

Entry Points58

Unprotected40

AJAX Handlers 52

authwp_ajax_easy_ea_newsletter_submitsrc\admin.php:1413

authwp_ajax_easy_ea_newsletter_hide_formsrc\admin.php:1428

noprivwp_ajax_ea_next_stepsrc\ajax.php:87

authwp_ajax_ea_next_stepsrc\ajax.php:88

noprivwp_ajax_ea_date_selectedsrc\ajax.php:90

authwp_ajax_ea_date_selectedsrc\ajax.php:91

authwp_ajax_ea_res_appointmentsrc\ajax.php:93

noprivwp_ajax_ea_res_appointmentsrc\ajax.php:94

authwp_ajax_ea_final_appointmentsrc\ajax.php:96

noprivwp_ajax_ea_final_appointmentsrc\ajax.php:97

authwp_ajax_ea_cancel_appointmentsrc\ajax.php:99

noprivwp_ajax_ea_cancel_appointmentsrc\ajax.php:100

authwp_ajax_ea_month_statussrc\ajax.php:102

noprivwp_ajax_ea_month_statussrc\ajax.php:103

authwp_ajax_ea_search_customerssrc\ajax.php:104

authwp_ajax_ea_get_customer_detailsrc\ajax.php:105

authwp_ajax_ea_update_customer_datasrc\ajax.php:106

authwp_ajax_ea_save_custom_columnssrc\ajax.php:119

authwp_ajax_ea_errorssrc\ajax.php:121

authwp_ajax_ea_test_wp_mailsrc\ajax.php:123

authwp_ajax_ea_reset_pluginsrc\ajax.php:124

authwp_ajax_ea_appointmentssrc\ajax.php:127

authwp_ajax_ea_appointmentsrc\ajax.php:130

authwp_ajax_ea_servicessrc\ajax.php:133

authwp_ajax_ea_servicesrc\ajax.php:136

authwp_ajax_ea_update_ordersrc\ajax.php:139

authwp_ajax_ea_locationssrc\ajax.php:142

authwp_ajax_ea_locationsrc\ajax.php:145

authwp_ajax_ea_workersrc\ajax.php:148

authwp_ajax_ea_is_pro_existsrc\ajax.php:149

authwp_ajax_ea_workerssrc\ajax.php:154

authwp_ajax_ea_connectionsrc\ajax.php:157

authwp_ajax_ea_connectionssrc\ajax.php:160

authwp_ajax_ea_open_timessrc\ajax.php:163

authwp_ajax_ea_settingsrc\ajax.php:166

authwp_ajax_ea_settingssrc\ajax.php:169

authwp_ajax_ea_reportsrc\ajax.php:172

authwp_ajax_ea_fieldssrc\ajax.php:175

authwp_ajax_ea_fieldsrc\ajax.php:176

authwp_ajax_ea_exportsrc\ajax.php:177

authwp_ajax_ea_default_templatesrc\ajax.php:178

authwp_ajax_ea_send_query_messagesrc\ajax.php:179

authwp_ajax_cancel_selected_appointmentssrc\ajax.php:180

authwp_ajax_delete_selected_appointmentsrc\ajax.php:181

authwp_ajax_ea_get_customers_ajaxsrc\ajax.php:183

authwp_ajax_ea_update_customer_ajaxsrc\ajax.php:184

authwp_ajax_ea_insert_customer_ajaxsrc\ajax.php:185

authwp_ajax_ea_get_customer_detail_ajaxsrc\ajax.php:186

authwp_ajax_ea_delete_customersrc\ajax.php:187

authwp_ajax_ea_delete_multiple_connectionssrc\ajax.php:188

authwp_ajax_ea_full_exportsrc\ajax.php:190

authwp_ajax_ea_full_importsrc\ajax.php:191

REST API Routes 3

GET/wp-json/wp/v2/eablocks/get_ea_options/ea-blocks\ea-blocks.php:74

GET/wp-json/wp/v2/eablocks/ea_appointments/ea-blocks\ea-blocks.php:187

POST/wp-json/wp/v2/eablocks/render_shortcodeea-blocks\ea-blocks.php:307

Shortcodes 3

[ea_standard] src\frontend.php:60

[ea_bootstrap] src\frontend.php:63

[ea_full_calendar] src\shortcodes\fullcalendar.php:55

WordPress Hooks 31

actioninitea-blocks\ea-blocks.php:34

actionrest_api_initea-blocks\ea-blocks.php:73

actionrest_api_initea-blocks\ea-blocks.php:186

actionrest_api_initea-blocks\ea-blocks.php:306

actionplugins_loadedmain.php:95

actioneasyapp_hourly_eventmain.php:98

actionea_daily_expire_appointmentsmain.php:100

actionea_gdpr_auto_deletemain.php:102

actioninitmain.php:105

actionrest_api_initmain.php:107

actionadmin_menusrc\admin.php:76

actionadmin_menusrc\admin.php:77

actionadmin_initsrc\admin.php:80

actionadmin_initsrc\admin.php:81

actioninitsrc\ajax.php:81

actioneasy_ea_new_appsrc\ajax.php:109

actionwp_enqueue_scriptssrc\frontend.php:56

actioneasy_ea_user_email_notificationsrc\mail.php:69

actioneasy_ea_repeat_appointment_mail_notificationsrc\mail.php:70

actioneasy_ea_admin_email_notificationsrc\mail.php:71

actionwpsrc\mail.php:74

filterea_format_notification_paramssrc\mail.php:77

filtereasy_ea_admin_mail_templatesrc\mail.php:80

filtereasy_ea_customer_mail_templatesrc\mail.php:81

actionwp_mail_failedsrc\mail.php:978

actioneasy_ea_update_optionssrc\options.php:29

filtereasy-appointments-user-ajax-capabilitiessrc\options.php:30

filtereasy-appointments-user-menu-capabilitiessrc\options.php:31

filtereasy_ea_form_rowssrc\services\UserFieldMapper.php:9

actionwp_enqueue_scriptssrc\shortcodes\fullcalendar.php:51

filtereasy_ea_calendar_public_accesssrc\shortcodes\fullcalendar.php:61

Scheduled Events 3

easyapp_hourly_event

ea_daily_expire_appointments

ea_gdpr_auto_delete

Maintenance & Trust

Easy Appointments Maintenance & Trust

Maintenance Signals

WordPress version tested7.0

Last updatedApr 16, 2026

PHP min version5.3

Downloads1.8M

Community Trust

Rating86/100

Number of ratings130

Active installs10K

Alternatives

Easy Appointments Alternatives

SimplyBook.me – Booking and reservations calendar

simplybook

100

Simply add a booking calendar to your site to schedule bookings, reservations, appointments and to collect payments.

20K No CVEs

Pinpoint Booking System – Version 2

booking-system

Book anything, anytime, anywhere.

3K 1 unpatched

SuperSaaS – online appointment scheduling

supersaas-appointment-scheduling

SuperSaaS is a flexible appointment scheduling system that works with many different businesses. The basic version is free.

1K 2 CVEs

Booking Ultra Pro Appointments Booking Calendar Plugin

booking-ultra-pro

Powerful Booking Plugin with amazing dashboard to manage all of your appointments & bookings online.

400 1 unpatched

Easy Booking Calendar for WooCommerce

easy-booking-calendar

100

Turn any product into a bookable item with an easy-to-use calendar. Supports date ranges, automatic price calculations, and prevents double bookings.

30 No CVEs

Developer Profile

Easy Appointments Developer Profile

Easy Appointments

1 plugin · 10K total installs

trust score

Avg Security Score

92/100

Avg Patch Time

367 days

View full developer profile

Detection Fingerprints

How We Detect Easy Appointments

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/easy-appointments/css/style.css/wp-content/plugins/easy-appointments/css/bootstrap.min.css/wp-content/plugins/easy-appointments/css/fullcalendar.css/wp-content/plugins/easy-appointments/css/jquery.datetimepicker.css/wp-content/plugins/easy-appointments/css/bootstrap-theme.min.css/wp-content/plugins/easy-appointments/js/bootstrap.min.js/wp-content/plugins/easy-appointments/js/jquery.datetimepicker.full.js/wp-content/plugins/easy-appointments/js/easy-appointments.js+12 more

Version Parameters

/wp-content/plugins/easy-appointments/css/style.css?ver=/wp-content/plugins/easy-appointments/css/bootstrap.min.css?ver=/wp-content/plugins/easy-appointments/css/fullcalendar.css?ver=/wp-content/plugins/easy-appointments/css/jquery.datetimepicker.css?ver=/wp-content/plugins/easy-appointments/css/bootstrap-theme.min.css?ver=/wp-content/plugins/easy-appointments/js/bootstrap.min.js?ver=/wp-content/plugins/easy-appointments/js/jquery.datetimepicker.full.js?ver=/wp-content/plugins/easy-appointments/js/easy-appointments.js?ver=/wp-content/plugins/easy-appointments/js/fullcalendar.js?ver=/wp-content/plugins/easy-appointments/js/moment.js?ver=/wp-content/plugins/easy-appointments/js/appointments.js?ver=/wp-content/plugins/easy-appointments/js/appointments-frontend.js?ver=/wp-content/plugins/easy-appointments/js/appointments-admin.js?ver=/wp-content/plugins/easy-appointments/js/appointments-ajax.js?ver=/wp-content/plugins/easy-appointments/js/appointments-ajax-frontend.js?ver=/wp-content/plugins/easy-appointments/js/appointments-ajax-admin.js?ver=/wp-content/plugins/easy-appointments/js/appointments-fullcalendar.js?ver=/wp-content/plugins/easy-appointments/js/appointments-user-fields.js?ver=/wp-content/plugins/easy-appointments/js/appointments-calendar.js?ver=/wp-content/plugins/easy-appointments/js/appointments-calendar-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

ea-appointment-frontendea-appointment-appointmentsea-appointment-bookingea-appointment-calendarea-appointment-calendar-adminea-appointment-dateea-appointment-timeea-appointment-service+46 more

Data Attributes

data-ea-booking-iddata-ea-appointment-iddata-ea-appointment-datedata-ea-appointment-timedata-ea-appointment-service-iddata-ea-appointment-location-id+26 more

JS Globals

easy_appointments_paramseasy_appointments_frontend_paramseasy_appointments_admin_paramseasy_appointments_ajax_paramseasy_appointments_ajax_frontend_paramseasy_appointments_ajax_admin_params+4 more

REST Endpoints

/wp-json/easy-appointments/v1/appointments/wp-json/easy-appointments/v1/services/wp-json/easy-appointments/v1/locations/wp-json/easy-appointments/v1/providers/wp-json/easy-appointments/v1/settings

FAQ

Easy Appointments Security & Risk Analysis

Is Easy Appointments Safe to Use in 2026?

Generally Safe

Key Concerns

Easy Appointments Security Vulnerabilities

CVEs by Year

Severity Breakdown

Easy Appointments Release Timeline

Easy Appointments Code Analysis

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

Easy Appointments Attack Surface

AJAX Handlers 52

REST API Routes 3

Shortcodes 3

Scheduled Events 3

Easy Appointments Maintenance & Trust

Maintenance Signals

Community Trust

Easy Appointments Alternatives

SimplyBook.me – Booking and reservations calendar

Pinpoint Booking System – Version 2

SuperSaaS – online appointment scheduling

Booking Ultra Pro Appointments Booking Calendar Plugin

Easy Booking Calendar for WooCommerce

Easy Appointments Developer Profile

How We Detect Easy Appointments

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Easy Appointments