WP-Safety

Nabooki Booking Widgets Security & Risk Analysis

wordpress.org/plugins/nabooki-booking

Receive online bookings for your service business with nabooki’s official plugin for Wordpress.

10 active installs v0.3 PHP + WP 3.0.1+ Updated Dec 12, 2018
appointmentsbookingnabookionline-bookingonline-bookings
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Nabooki Booking Widgets Safe to Use in 2026?

Generally Safe

Score 85/100

Nabooki Booking Widgets has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago
Risk Assessment

The nabooki-booking plugin v0.3 exhibits a concerning security posture due to significant gaps in authentication and output sanitization, despite having no recorded historical vulnerabilities. The static analysis reveals two AJAX handlers that lack authentication checks, presenting a direct attack vector for unauthenticated users. Furthermore, the plugin utilizes the dangerous `unserialize` function twice, which can lead to Remote Code Execution (RCE) if manipulated by an attacker with serialized data input. Taint analysis shows all five flows with unsanitized paths, although no critical or high severity issues were flagged in this specific analysis run, suggesting potential for exploitation if these paths are reachable by untrusted input. The limited number of AJAX endpoints and shortcodes, along with the absence of file operations and cron events, are positive aspects. However, the combination of unprotected entry points and a dangerous function like `unserialize` creates a significant risk profile. The lack of historical vulnerabilities is a positive sign, but it does not negate the current code-level risks. Users should be cautious, and developers should prioritize addressing the unauthenticated AJAX handlers and the use of `unserialize` with proper sanitization and authentication.

Key Concerns

  • Unprotected AJAX handlers
  • Use of dangerous unserialize function
  • Low output escaping coverage
  • No nonce checks on AJAX handlers
  • No capability checks
  • Unsanitized paths in taint analysis
Vulnerabilities
None known

Nabooki Booking Widgets Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Nabooki Booking Widgets Release Timeline

v0.4
v0.3Current
v0.2
v0.1
Code Analysis
Analyzed Mar 17, 2026

Nabooki Booking Widgets Code Analysis

Dangerous Functions
2
Raw SQL Queries
0
0 prepared
Unescaped Output
20
5 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
2
Bundled Libraries
0

Dangerous Functions Found

unserialize$items = unserialize($items);nabooki-admin.php:47
unserialize$items = unserialize($items);nabooki.php:60

Output Escaping

20% escaped25 total outputs
Data Flows · Security
5 unsanitized

Data Flow Analysis

5 flows5 with unsanitized paths
_viewWidgetItem (nabooki-admin.php:291)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Nabooki Booking Widgets Attack Surface

Entry Points4
Unprotected2

AJAX Handlers 2

authwp_ajax_nabooki_link_accountnabooki.php:309
authwp_ajax_nabooki_unlink_accountnabooki.php:312

Shortcodes 2

[nabooki-button] nabooki.php:315
[nabooki-widget] nabooki.php:318
WordPress Hooks 3
actionadmin_headnabooki.php:303
actionadmin_menunabooki.php:306
actionwidgets_initnabooki.php:321
Maintenance & Trust

Nabooki Booking Widgets Maintenance & Trust

Maintenance Signals

WordPress version tested5.0.25
Last updatedDec 12, 2018
PHP min version
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

Nabooki Booking Widgets Alternatives

Booking Ultra Pro Appointments Booking Calendar Plugin

Booking Ultra Pro Appointments Booking Calendar Plugin

booking-ultra-pro

C
50

Powerful Booking Plugin with amazing dashboard to manage all of your appointments & bookings online.

400 1 unpatched
Buk for WordPress

Buk for WordPress

buk-appointments

A
99

Simple and flexible online appointments for your clients. Add a BUK.app apointment shortcode to your WordPress site.

40 1 CVE
Booking / Appointment

Booking / Appointment

booking-appointment

A
100

Bookings/Appointments provides the facility for users to book appointments for any business. Users can book appointments according to different times.

10 No CVEs
LatePoint – Calendar Booking Plugin for Appointments and Events

LatePoint – Calendar Booking Plugin for Appointments and Events

latepoint

F
20

Optimize your appointment scheduling with our plugin. Sync calendars, automate reminders, and keep your bookings organized.

100K 2 unpatched
Booking for Appointments and Events Calendar – Amelia

Booking for Appointments and Events Calendar – Amelia

ameliabooking

A
88

Amelia is a powerful booking plugin for appointments and events. Manage scheduling, calendars, and availability with an all-in-one booking system.

90K 30 CVEs
Developer Profile

Nabooki Booking Widgets Developer Profile

nabooki

1 plugin · 10 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Nabooki Booking Widgets

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/nabooki-booking/nabooki.js
Script Paths
https://services.nabooki.com/js/booking-button.jshttps://services.nabooki.com/js/iframeResizer.js

HTML / DOM Fingerprints

CSS Classes
nb-button
Data Attributes
data-widget
JS Globals
iFrameResizeinitResizer
FAQ

Frequently Asked Questions about Nabooki Booking Widgets