Does MZ MBO Access have any unpatched vulnerabilities?

No. All known vulnerabilities in MZ MBO Access have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is MZ MBO Access compatible with WordPress 5.7.15?

According to WordPress.org data, MZ MBO Access 2.1.6 has been tested up to WordPress 5.7.15. Check the plugin's changelog for the latest compatibility information.

How often is MZ MBO Access updated?

MZ MBO Access was last updated on Unknown. Frequent updates are generally a positive security signal.

What is MZ MBO Access's security score?

MZ MBO Access has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

MZ MBO Access Security & Risk Analysis

wordpress.org/plugins/mindbody-access-management

Restrict wordpress content based on client Mindbody account details. Create two access levels based on MBO membership details.

0 active installs v2.1.6 PHP + WP 3.0.1+ Updated Unknown

calendarmbomindbodyscheduleyoga

A · Safe

CVEs total1

Unpatched0

Last CVEJun 30, 2021

Plugin page Download

Safety Verdict

Is MZ MBO Access Safe to Use in 2026?

Generally Safe

Score 99/100

MZ MBO Access has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jun 30, 2021

Risk Assessment

The "mindbody-access-management" plugin v2.1.6 exhibits a concerning security posture primarily due to a vast, unprotected attack surface. With 21 AJAX handlers identified and none possessing authentication checks, these entry points are highly vulnerable to unauthorized access and manipulation. While the code signals show no dangerous functions or file operations, and taint analysis found no critical or high severity issues, the lack of proper authorization on such a significant number of AJAX handlers is a major weakness. The plugin has a history of a high-severity vulnerability, specifically Cross-Site Request Forgery (CSRF), though it appears to be patched. The presence of this past vulnerability, combined with the current extensive unprotected AJAX endpoints, suggests a potential for recurring security oversights. The plugin does show some good practices, such as a reasonable percentage of SQL queries using prepared statements and a decent rate of output escaping, along with a moderate number of nonce checks. However, these strengths are overshadowed by the critical flaw of unprotected AJAX handlers, making the overall risk assessment significant.

Key Concerns

Large attack surface without auth
Missing nonce checks on AJAX
History of high severity CVE (CSRF)
Low percentage of SQL prepared statements
Moderate output escaping

Vulnerabilities

MZ MBO Access Security Vulnerabilities

CVEs by Year

1 CVE in 2021

2021

Patched Has unpatched

Severity Breakdown

High

1 total CVE

WF-d18c17f1-7b85-46d6-a92e-948be98adf87-mindbody-access-managementhigh · 8.8Cross-Site Request Forgery (CSRF)

MZ MBO Access <= 2.0.8 - Cross-Site Request Forgery

Jun 30, 2021 Patched in 2.0.9 (937d)

Code Analysis

Analyzed Mar 17, 2026

MZ MBO Access Code Analysis

Dangerous Functions

Raw SQL Queries

12 prepared

Unescaped Output

120 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

57% prepared21 total queries

Output Escaping

73% escaped165 total outputs

Data Flows

All sanitized

Data Flow Analysis

9 flows

ajax_login_check_access_permissions (src\Access\AccessPortal.php:36)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

21 unprotected

MZ MBO Access Attack Surface

Entry Points22

Unprotected21

AJAX Handlers 21

noprivwp_ajax_ajax_login_check_access_permissionssrc\Core\PluginCore.php:232

authwp_ajax_ajax_login_check_access_permissionssrc\Core\PluginCore.php:233

noprivwp_ajax_ajax_check_access_permissionssrc\Core\PluginCore.php:235

authwp_ajax_ajax_check_access_permissionssrc\Core\PluginCore.php:236

noprivwp_ajax_ajax_register_for_classsrc\Core\PluginCore.php:239

authwp_ajax_ajax_register_for_classsrc\Core\PluginCore.php:240

noprivwp_ajax_ajax_create_mbo_accountsrc\Core\PluginCore.php:243

authwp_ajax_ajax_create_mbo_accountsrc\Core\PluginCore.php:244

noprivwp_ajax_ajax_generate_signup_formsrc\Core\PluginCore.php:247

authwp_ajax_ajax_generate_signup_formsrc\Core\PluginCore.php:248

noprivwp_ajax_ajax_client_loginsrc\Core\PluginCore.php:251

authwp_ajax_ajax_client_loginsrc\Core\PluginCore.php:252

noprivwp_ajax_ajax_client_logoutsrc\Core\PluginCore.php:255

authwp_ajax_ajax_client_logoutsrc\Core\PluginCore.php:256

noprivwp_ajax_ajax_display_client_schedulesrc\Core\PluginCore.php:259

authwp_ajax_ajax_display_client_schedulesrc\Core\PluginCore.php:260

noprivwp_ajax_ajax_check_client_loggedsrc\Core\PluginCore.php:263

authwp_ajax_ajax_check_client_loggedsrc\Core\PluginCore.php:264

authwp_ajax_carbon_fields_add_sidebarsrc\Mozart\htmlburger\carbon-fields\core\Libraries\Sidebar_Manager\Sidebar_Manager.php:26

authwp_ajax_carbon_fields_remove_sidebarsrc\Mozart\htmlburger\carbon-fields\core\Libraries\Sidebar_Manager\Sidebar_Manager.php:27

authwp_ajax_carbon_fields_fetch_association_optionssrc\Mozart\htmlburger\carbon-fields\core\Loader\Loader.php:51

Shortcodes 1

[mbo-client-access] src\Core\PluginCore.php:332

WordPress Hooks 85

actionadmin_noticesmz-mbo-access.php:58

actionadmin_initmz-mbo-access.php:59

actionadmin_noticesmz-mbo-access.php:76

actionadmin_initmz-mbo-access.php:77

actionplugins_loadedmz-mbo-access.php:99

actionadmin_initmz-mbo-access.php:235

actionplugins_loadedsrc\Core\PluginCore.php:186

actionafter_setup_themesrc\Core\PluginCore.php:223

actioncarbon_fields_register_fieldssrc\Core\PluginCore.php:226

actioncarbon_fields_fields_registeredsrc\Core\PluginCore.php:229

actioninitsrc\Mozart\htmlburger\carbon-fields\core\Container\Block_Container.php:73

filterblock_categoriessrc\Mozart\htmlburger\carbon-fields\core\Container\Block_Container.php:125

actionadmin_initsrc\Mozart\htmlburger\carbon-fields\core\Container\Comment_Meta_Container.php:35

actionedit_commentsrc\Mozart\htmlburger\carbon-fields\core\Container\Comment_Meta_Container.php:36

filterwp_edit_nav_menu_walkersrc\Mozart\htmlburger\carbon-fields\core\Container\Nav_Menu_Item_Container.php:42

actionwp_update_nav_menu_itemsrc\Mozart\htmlburger\carbon-fields\core\Container\Nav_Menu_Item_Container.php:58

actioncarbon_fields_print_nav_menu_item_container_fieldssrc\Mozart\htmlburger\carbon-fields\core\Container\Nav_Menu_Item_Container.php:59

actionnetwork_admin_menusrc\Mozart\htmlburger\carbon-fields\core\Container\Network_Container.php:41

actionadmin_initsrc\Mozart\htmlburger\carbon-fields\core\Container\Post_Meta_Container.php:63

actionsave_postsrc\Mozart\htmlburger\carbon-fields\core\Container\Post_Meta_Container.php:64

actionadd_attachmentsrc\Mozart\htmlburger\carbon-fields\core\Container\Post_Meta_Container.php:67

actionedit_attachmentsrc\Mozart\htmlburger\carbon-fields\core\Container\Post_Meta_Container.php:68

actionadmin_initsrc\Mozart\htmlburger\carbon-fields\core\Container\Term_Meta_Container.php:32

actioninitsrc\Mozart\htmlburger\carbon-fields\core\Container\Term_Meta_Container.php:33

actionadmin_menusrc\Mozart\htmlburger\carbon-fields\core\Container\Theme_Options_Container.php:77

actionadmin_initsrc\Mozart\htmlburger\carbon-fields\core\Container\User_Meta_Container.php:33

actionprofile_updatesrc\Mozart\htmlburger\carbon-fields\core\Container\User_Meta_Container.php:34

actionuser_registersrc\Mozart\htmlburger\carbon-fields\core\Container\User_Meta_Container.php:35

actionshow_user_profilesrc\Mozart\htmlburger\carbon-fields\core\Container\User_Meta_Container.php:151

actionedit_user_profilesrc\Mozart\htmlburger\carbon-fields\core\Container\User_Meta_Container.php:152

actionuser_new_formsrc\Mozart\htmlburger\carbon-fields\core\Container\User_Meta_Container.php:153

actiondelete_termsrc\Mozart\htmlburger\carbon-fields\core\Datastore\Term_Meta_Datastore.php:28

actionadmin_noticessrc\Mozart\htmlburger\carbon-fields\core\Exception\Incorrect_Syntax_Exception.php:18

actionnetwork_admin_noticessrc\Mozart\htmlburger\carbon-fields\core\Exception\Incorrect_Syntax_Exception.php:19

filterposts_fields_requestsrc\Mozart\htmlburger\carbon-fields\core\Field\Association_Field.php:446

filterposts_groupby_requestsrc\Mozart\htmlburger\carbon-fields\core\Field\Association_Field.php:448

filterposts_orderby_requestsrc\Mozart\htmlburger\carbon-fields\core\Field\Association_Field.php:449

filterpost_limits_requestsrc\Mozart\htmlburger\carbon-fields\core\Field\Association_Field.php:450

filterget_terms_fieldssrc\Mozart\htmlburger\carbon-fields\core\Field\Association_Field.php:511

filterterms_clausessrc\Mozart\htmlburger\carbon-fields\core\Field\Association_Field.php:512

filtercomments_clausessrc\Mozart\htmlburger\carbon-fields\core\Field\Association_Field.php:616

actionadmin_print_footer_scriptssrc\Mozart\htmlburger\carbon-fields\core\Field\Field.php:296

actionadmin_print_footer_scriptssrc\Mozart\htmlburger\carbon-fields\core\Field\Field.php:297

actionadmin_print_footer_scriptssrc\Mozart\htmlburger\carbon-fields\core\Field\Field.php:313

actionadmin_footersrc\Mozart\htmlburger\carbon-fields\core\Field\Rich_Text_Field.php:85

filteruser_can_richeditsrc\Mozart\htmlburger\carbon-fields\core\Field\Rich_Text_Field.php:103

actionmedia_buttonssrc\Mozart\htmlburger\carbon-fields\core\Field\Rich_Text_Field.php:140

actionwpsrc\Mozart\htmlburger\carbon-fields\core\Field\Scripts_Field.php:31

actionwidgets_initsrc\Mozart\htmlburger\carbon-fields\core\Libraries\Sidebar_Manager\Sidebar_Manager.php:15

actionadmin_enqueue_scriptssrc\Mozart\htmlburger\carbon-fields\core\Libraries\Sidebar_Manager\Sidebar_Manager.php:18

filtercarbon_fields_sidebar_default_optionssrc\Mozart\htmlburger\carbon-fields\core\Libraries\Sidebar_Manager\Sidebar_Manager.php:22

actionafter_setup_themesrc\Mozart\htmlburger\carbon-fields\core\Loader\Loader.php:43

actioninitsrc\Mozart\htmlburger\carbon-fields\core\Loader\Loader.php:44

actionrest_api_initsrc\Mozart\htmlburger\carbon-fields\core\Loader\Loader.php:45

actioncarbon_fields_fields_registeredsrc\Mozart\htmlburger\carbon-fields\core\Loader\Loader.php:46

actionadmin_enqueue_scriptssrc\Mozart\htmlburger\carbon-fields\core\Loader\Loader.php:47

actionadmin_print_footer_scriptssrc\Mozart\htmlburger\carbon-fields\core\Loader\Loader.php:48

actionadmin_print_footer_scriptssrc\Mozart\htmlburger\carbon-fields\core\Loader\Loader.php:49

actionedit_form_after_titlesrc\Mozart\htmlburger\carbon-fields\core\Loader\Loader.php:50

filtercarbon_fields_container_static_condition_typessrc\Mozart\htmlburger\carbon-fields\core\Provider\Container_Condition_Provider.php:254

filtercarbon_fields_post_meta_container_static_condition_typessrc\Mozart\htmlburger\carbon-fields\core\Provider\Container_Condition_Provider.php:262

filtercarbon_fields_post_meta_container_dynamic_condition_typessrc\Mozart\htmlburger\carbon-fields\core\Provider\Container_Condition_Provider.php:263

filtercarbon_fields_term_meta_container_static_condition_typessrc\Mozart\htmlburger\carbon-fields\core\Provider\Container_Condition_Provider.php:265

filtercarbon_fields_term_meta_container_dynamic_condition_typessrc\Mozart\htmlburger\carbon-fields\core\Provider\Container_Condition_Provider.php:266

filtercarbon_fields_user_meta_container_static_condition_typessrc\Mozart\htmlburger\carbon-fields\core\Provider\Container_Condition_Provider.php:268

filtercarbon_fields_user_meta_container_dynamic_condition_typessrc\Mozart\htmlburger\carbon-fields\core\Provider\Container_Condition_Provider.php:269

filtercarbon_fields_theme_options_container_static_condition_typessrc\Mozart\htmlburger\carbon-fields\core\Provider\Container_Condition_Provider.php:271

actionrest_api_initsrc\Mozart\htmlburger\carbon-fields\core\REST_API\Decorator.php:31

actionrest_api_initsrc\Mozart\htmlburger\carbon-fields\core\REST_API\Router.php:113

filtercarbon_fields_datastore_storage_arraysrc\Mozart\htmlburger\carbon-fields\core\Service\Legacy_Storage_Service_v_1_5.php:60

filterget_meta_sqlsrc\Mozart\htmlburger\carbon-fields\core\Service\Meta_Query_Service.php:42

actionpre_get_postssrc\Mozart\htmlburger\carbon-fields\core\Service\Meta_Query_Service.php:44

actionpre_get_termssrc\Mozart\htmlburger\carbon-fields\core\Service\Meta_Query_Service.php:45

actionpre_get_userssrc\Mozart\htmlburger\carbon-fields\core\Service\Meta_Query_Service.php:46

actioncarbon_fields_fields_registeredsrc\Mozart\htmlburger\carbon-fields\core\Service\REST_API_Service.php:40

filtercarbon_get_post_meta_post_idsrc\Mozart\htmlburger\carbon-fields\core\Service\Revisions_Service.php:11

actioncarbon_fields_post_meta_container_savedsrc\Mozart\htmlburger\carbon-fields\core\Service\Revisions_Service.php:12

filter_wp_post_revision_fieldssrc\Mozart\htmlburger\carbon-fields\core\Service\Revisions_Service.php:13

filter_wp_post_revision_fieldssrc\Mozart\htmlburger\carbon-fields\core\Service\Revisions_Service.php:14

actionwp_restore_post_revisionsrc\Mozart\htmlburger\carbon-fields\core\Service\Revisions_Service.php:15

filterwp_save_post_revision_check_for_changessrc\Mozart\htmlburger\carbon-fields\core\Service\Revisions_Service.php:16

actionwp_loadedsrc\Session\MzAccessSession.php:64

actionwp_loadedsrc\Session\MzAccessSession.php:68

actionwp_session_database_gcsrc\Session\MzAccessSession.php:103

actionadmin_noticessrc\Session\MzAccessSession.php:122

Scheduled Events 1

wp_session_database_gc

Maintenance & Trust

MZ MBO Access Maintenance & Trust

Maintenance Signals

WordPress version tested5.7.15

Last updatedUnknown

PHP min version

Downloads2K

Community Trust

Rating0/100

Number of ratings0

Active installs0

Alternatives

MZ MBO Access Alternatives

Yoga Schedule Momoyoga

momoyoga-integration

Show your Momoyoga class schedule on your WordPress website.

1K 2 CVEs

The Events Calendar

the-events-calendar

The Events Calendar: #1 calendar plugin for WordPress. Create/manage events (virtual too!) on your site with the free plugin.

700K 25 CVEs

Timetable and Event Schedule by MotoPress

mp-timetable

Smart event organizer and time-management tool with a clean minimalist design for featuring your timetables and upcoming events.

30K 8 CVEs

Editorial Calendar

editorial-calendar

0ddcemmihs4a843ekhaoofzosrunf4bl Editorial Calendar allows you to view all your posts, schedule post, make quick edits, and manage your blog by draggi …

20K 4 CVEs

Appointment Hour Booking – Booking Calendar

appointment-hour-booking

Appointment Hour Booking is a plugin for creating booking forms for appointments with a start time and a defined duration within a schedule.

10K 11 CVEs

Developer Profile

MZ MBO Access Developer Profile

mikeill

2 plugins · 200 total installs

trust score

Avg Security Score

100/100

Avg Patch Time

937 days

View full developer profile

Detection Fingerprints

How We Detect MZ MBO Access

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/mindbody-access-management/src/access/css/mz-mbo-access-admin.css/wp-content/plugins/mindbody-access-management/src/access/css/mz-mbo-access-public.css/wp-content/plugins/mindbody-access-management/src/access/js/mz-mbo-access-admin.js/wp-content/plugins/mindbody-access-management/src/access/js/mz-mbo-access-public.js

Version Parameters

mindbody-access-management/src/access/css/mz-mbo-access-admin.css?ver=mindbody-access-management/src/access/css/mz-mbo-access-public.css?ver=mindbody-access-management/src/access/js/mz-mbo-access-admin.js?ver=mindbody-access-management/src/access/js/mz-mbo-access-public.js?ver=

HTML / DOM Fingerprints

CSS Classes

mz-mbo-access-restrictedmz-mbo-access-login-requiredmz-mbo-access-logout-requiredmz-mbo-access-logged-inmz-mbo-access-logged-out

Data Attributes

data-mz-mbo-access-logged-indata-mz-mbo-access-logged-outdata-mz-mbo-access-login-requireddata-mz-mbo-access-logout-required

JS Globals

MZoo_MzMboAccess_PublicMZoo_MzMboAccess_Admin

Shortcode Output

[mz-mbo-access-login-required][/mz-mbo-access-login-required][mz-mbo-access-logout-required][/mz-mbo-access-logout-required]

FAQ