WP-Safety

Online Booking & Scheduling Calendar for WordPress by vcita Security & Risk Analysis

wordpress.org/plugins/meeting-scheduler-by-vcita

Let clients schedule meetings with you online! No more back & forth emails

1K active installs v4.6.0 PHP + WP 4.6+ Updated Nov 19, 2025
bookingcalendareventsmeetingsscheduling
88
A · Safe
CVEs total19
Unpatched0
Last CVENov 12, 2025
Plugin page Download
Safety Verdict

Is Online Booking & Scheduling Calendar for WordPress by vcita Safe to Use in 2026?

Generally Safe

Score 88/100

Online Booking & Scheduling Calendar for WordPress by vcita has a strong security track record. Known vulnerabilities have been patched promptly.

19 known CVEsLast CVE: Nov 12, 2025Updated 4mo ago
Risk Assessment

The 'meeting-scheduler-by-vcita' plugin version 4.6.0 presents a mixed security posture. While it demonstrates strengths such as 100% SQL query sanitization via prepared statements and a good number of nonce and capability checks, several significant concerns emerge. The presence of one unprotected REST API route, coupled with a notable 22% of output escaping, suggests potential vulnerabilities. The taint analysis, while limited, did reveal one flow with unsanitized paths, which, although not critical or high severity in this analysis, warrants attention given the plugin's history.

Key Concerns

  • 1 unprotected REST API route
  • 22% of outputs properly escaped
  • 1 flow with unsanitized paths
  • 19 known CVEs historically
  • 4 high severity historical CVEs
  • 15 medium severity historical CVEs
Vulnerabilities
19

Online Booking & Scheduling Calendar for WordPress by vcita Security Vulnerabilities

CVEs by Year

6 CVEs in 2023
2023
8 CVEs in 2024
2024
5 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
4
Medium
15

19 total CVEs

CVE-2025-67472medium · 4.3Cross-Site Request Forgery (CSRF)

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5.5 - Cross-Site Request Forgery

Nov 12, 2025 Patched in 4.6.0 (30d)
CVE-2025-67559medium · 4.3Missing Authorization

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5.5 - Missing Authorization

Nov 12, 2025 Patched in 4.6.0 (30d)
CVE-2025-54677high · 8.8Unrestricted Upload of File with Dangerous Type

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5.3 - Authenticated (Author+) Arbitrary File Upload

Aug 14, 2025 Patched in 4.5.5 (5d)
CVE-2025-54676medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jul 30, 2025 Patched in 4.5.5 (6d)
CVE-2025-32238medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5.2 - Authenticated (Subscriber+) Sensitive Information Exposure

Apr 4, 2025 Patched in 4.6.0 (231d)
CVE-2024-54356medium · 4.3Cross-Site Request Forgery (CSRF)

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5 - Cross-Site Request Forgery

Dec 11, 2024 Patched in 4.5.2 (9d)
CVE-2024-9872medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Dec 5, 2024 Patched in 4.5.2 (1d)
CVE-2024-47638medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.4.6 - Reflected Cross-Site Scripting

Sep 30, 2024 Patched in 4.5 (57d)
CVE-2024-35761medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

vCita Online Booking & Scheduling Calendar <= 4.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jul 17, 2024 Patched in 4.4.1
CVE-2024-37499high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.4.2 - Authenticated (Contributor+) Local File Inclusion

Jul 4, 2024 Patched in 4.4.3 (8d)
CVE-2024-37262medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.4.2 - Reflected Cross-Site Scripting

Jun 27, 2024 Patched in 4.4.3 (6d)
CVE-2024-5791high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Appointment Booking and Online Scheduling <= 4.4.2 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting

Jun 21, 2024 Patched in 4.4.3 (1d)
CVE-2024-5859medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Appointment Booking and Online Scheduling <= 4.4.2 - Reflected Cross-Site Scripting

Jun 20, 2024 Patched in 4.4.3 (1d)
CVE-2023-39992medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Aug 10, 2023 Patched in 4.3.3 (166d)
CVE-2023-2414medium · 5.4Missing Authorization

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.4.6 - Missing Authorization to Settings Update and Arbitrary File Upload

Jun 2, 2023 Patched in 4.5 (543d)
CVE-2023-2299medium · 5.3Missing Authorization

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.4.2 - Missing Authorization on REST-API

Jun 2, 2023 Patched in 4.4.3 (543d)
CVE-2023-2415medium · 5.4Missing Authorization

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 - Missing Authorization to Account Logout

Jun 2, 2023 Patched in 4.3.0 (235d)
CVE-2023-2298high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.3.0 - Unauthenticated Stored Cross-Site Scripting

Jun 2, 2023 Patched in 4.3.1 (235d)
CVE-2023-2416medium · 5.4Cross-Site Request Forgery (CSRF)

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5 - Cross-Site Request Forgery to Account Logout

Jun 2, 2023 Patched in 4.5.2 (553d)
Code Analysis
Analyzed Mar 16, 2026

Online Booking & Scheduling Calendar for WordPress by vcita Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
297
84 escaped
Nonce Checks
6
Capability Checks
9
File Operations
1
External Requests
4
Bundled Libraries
1

Bundled Libraries

Select2

Output Escaping

22% escaped381 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths
<vcita-add-to-site> (pages\vcita-add-to-site.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Online Booking & Scheduling Calendar for WordPress by vcita Attack Surface

Entry Points7
Unprotected1

AJAX Handlers 6

authwp_ajax_vcita_dismissvcita-ajax-function.php:3
authwp_ajax_vcita_logoutvcita-ajax-function.php:4
authwp_ajax_vcita_check_authvcita-ajax-function.php:5
authwp_ajax_vcita_save_settingsvcita-ajax-function.php:6
authwp_ajax_vcita_save_datavcita-ajax-function.php:7
authwp_ajax_vcita_deactivate_othersvcita-ajax-function.php:8

REST API Routes 1

GET/wp-json/vcita-wordpress/v1/actions/(?P<action>.+)vcita-scheduler.php:379
WordPress Hooks 11
filtershow_admin_barpages\vcita-add-to-site.php:33
actionadmin_enqueue_scriptsvcita-scheduler.php:429
filterplugin_action_linksvcita-scheduler.php:528
actioncurrent_screenvcita-scheduler.php:529
actionadmin_initvcita-scheduler.php:530
actionadmin_menuvcita-scheduler.php:531
actionwp_headvcita-scheduler.php:532
actionadmin_noticesvcita-scheduler.php:534
actionadmin_footervcita-scheduler.php:535
actionplugins_loadedvcita-scheduler.php:536
actionrest_api_initvcita-scheduler.php:545
Maintenance & Trust

Online Booking & Scheduling Calendar for WordPress by vcita Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedNov 19, 2025
PHP min version
Downloads441K

Community Trust

Rating78/100
Number of ratings117
Active installs1K
Alternatives

Online Booking & Scheduling Calendar for WordPress by vcita Alternatives

LatePoint – Calendar Booking Plugin for Appointments and Events

LatePoint – Calendar Booking Plugin for Appointments and Events

latepoint

F
20

Optimize your appointment scheduling with our plugin. Sync calendars, automate reminders, and keep your bookings organized.

100K 2 unpatched
SuperSaaS – online appointment scheduling

SuperSaaS – online appointment scheduling

supersaas-appointment-scheduling

A
99

SuperSaaS is a flexible appointment scheduling system that works with many different businesses. The basic version is free.

1K 2 CVEs
Cal24h

Cal24h

cal24h

A
100

Embed the Cal24h booking experience in WordPress with a shortcode, Gutenberg block, or floating modal.

0 No CVEs
EHx Events

EHx Events

ehx-events

A
100

A powerful event booking and management system for WordPress websites.

0 No CVEs
NiftyBukzee – Calendar Booking Plugin for Appointments and Events

NiftyBukzee – Calendar Booking Plugin for Appointments and Events

niftybukzee

A
100

Gain More customers with Quick and Easy 3-step appointment booking with service providers: Calendar, Payments, Google Meet & more.

0 No CVEs
Developer Profile

Online Booking & Scheduling Calendar for WordPress by vcita Developer Profile

vcita

3 plugins · 1K total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
171 days
View full developer profile
Detection Fingerprints

How We Detect Online Booking & Scheduling Calendar for WordPress by vcita

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/meeting-scheduler-by-vcita/assets/js/pc_v.js/wp-content/plugins/meeting-scheduler-by-vcita/assets/js/utils_v.js/wp-content/plugins/meeting-scheduler-by-vcita/assets/js/mixpanel_v.js/wp-content/plugins/meeting-scheduler-by-vcita/assets/style/style_v.css
Version Parameters
meeting-scheduler-by-vcita/assets/js/pc_v.js?ver=meeting-scheduler-by-vcita/assets/js/utils_v.js?ver=meeting-scheduler-by-vcita/assets/js/mixpanel_v.js?ver=meeting-scheduler-by-vcita/assets/style/style_v.css?ver=

HTML / DOM Fingerprints

CSS Classes
wpschd_admin_noticewpschd_admin_notice-imagewpschd_admin_notice-textvcita__btn__bluewpschd_admin_notice_close
HTML Comments
Check if vCita plugin already installed.This plugin shows your free time slot on your blog and allows you to book appointments with your clients 24x7x365. Very easy Ajax interface. Easy to setup and can be controlled completely from powerful admin area.
Data Attributes
onclick="wpshd_ntf_dismiss();this.parentNode.remove()"onclick="wpshd_ntf_dismiss_switch()"onclick="wpshd_ntf_connect_click()"onclick="wpshd_ntf_turn_on_click()"
JS Globals
vcitaSchedulerDataVcitaMixpmanMixpMan
REST Endpoints
/wp-json/vcita/v1/appointments
Shortcode Output
[vcita-scheduler]
FAQ

Frequently Asked Questions about Online Booking & Scheduling Calendar for WordPress by vcita