WP-Safety

Oxtilo Fast Cal Security & Risk Analysis

wordpress.org/plugins/oxtilo-fast-cal

A secure and flexible booking management system for WordPress with availability handling, ICS sync, and REST API.

0 active installs v0.9.8 PHP 7.4+ WP 5.8+ Updated Unknown
appointmentbookingcalendarreservationschedule
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Oxtilo Fast Cal Safe to Use in 2026?

Generally Safe

Score 100/100

Oxtilo Fast Cal has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs
Risk Assessment

The "oxtilo-fast-cal" plugin version 0.9.8 demonstrates a generally good security posture based on the static analysis. The absence of critical and high-severity taint flows, along with a substantial number of proper SQL prepared statements and a decent percentage of properly escaped outputs, are positive indicators. The plugin also implements a reasonable number of nonce and capability checks, which are essential for securing WordPress functionalities.

However, there are areas that warrant attention. The relatively low percentage of properly escaped outputs (54%) suggests a potential risk of Cross-Site Scripting (XSS) vulnerabilities if certain output functionalities are not handled with sufficient sanitization. While no specific XSS vulnerabilities were flagged in the taint analysis, this percentage indicates a weakness that could be exploited. The single file operation and external HTTP request, while not inherently dangerous, are always potential entry points for vulnerabilities if not secured correctly.

Given that there are no recorded CVEs for this plugin, its vulnerability history is a strength, indicating a track record of security. The lack of past vulnerabilities could suggest either a well-maintained codebase or simply a lack of discovered issues. Overall, the plugin has a solid foundation, but the unescaped output is the most significant concern, requiring careful review and remediation.

Key Concerns

  • Low percentage of properly escaped outputs
Vulnerabilities
None known

Oxtilo Fast Cal Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Oxtilo Fast Cal Code Analysis

Dangerous Functions
0
Raw SQL Queries
7
24 prepared
Unescaped Output
265
316 escaped
Nonce Checks
11
Capability Checks
12
File Operations
1
External Requests
1
Bundled Libraries
0

SQL Query Safety

77% prepared31 total queries

Output Escaping

54% escaped581 total outputs
Data Flows
All sanitized

Data Flow Analysis

1 flows
<bookings-page> (admin\views\bookings-page.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Oxtilo Fast Cal Attack Surface

Entry Points7
Unprotected0

AJAX Handlers 6

authwp_ajax_oxtilofastcal_generate_calendar_tokenadmin\class-oxtilofastcal-admin.php:45
authwp_ajax_oxtilofastcal_generate_api_tokenadmin\class-oxtilofastcal-admin.php:46
authwp_ajax_oxtilofastcal_test_ics_feedadmin\class-oxtilofastcal-admin.php:47
authwp_ajax_oxtilofastcal_diagnosticsadmin\class-oxtilofastcal-admin.php:48
authwp_ajax_oxtilofastcal_get_slotsincludes\class-oxtilofastcal-ajax.php:43
noprivwp_ajax_oxtilofastcal_get_slotsincludes\class-oxtilofastcal-ajax.php:44

Shortcodes 1

[oxtilofastcal_form] includes\class-oxtilofastcal-shortcode.php:42
WordPress Hooks 24
actionadmin_menuadmin\class-oxtilofastcal-admin.php:42
actionadmin_initadmin\class-oxtilofastcal-admin.php:43
actionadmin_enqueue_scriptsadmin\class-oxtilofastcal-admin.php:44
actionadmin_post_oxtilofastcal_save_bookingadmin\class-oxtilofastcal-admin.php:51
actionadmin_post_oxtilofastcal_delete_bookingadmin\class-oxtilofastcal-admin.php:52
actionadmin_post_oxtilofastcal_create_bookingadmin\class-oxtilofastcal-admin.php:53
actionadmin_post_oxtilofastcal_submit_bookingincludes\class-oxtilofastcal-ajax.php:47
actionadmin_post_nopriv_oxtilofastcal_submit_bookingincludes\class-oxtilofastcal-ajax.php:48
actionrest_api_initincludes\class-oxtilofastcal-api.php:49
actionoxtilofastcal_cleanup_dailyincludes\class-oxtilofastcal-cron.php:42
filtergettextincludes\class-oxtilofastcal-i18n-fallback.php:413
actioninitincludes\class-oxtilofastcal-ics-feed.php:42
filterquery_varsincludes\class-oxtilofastcal-ics-feed.php:43
actiontemplate_redirectincludes\class-oxtilofastcal-ics-feed.php:44
actioninitincludes\class-oxtilofastcal-manager.php:42
filterquery_varsincludes\class-oxtilofastcal-manager.php:43
actiontemplate_redirectincludes\class-oxtilofastcal-manager.php:44
filtertemplate_includeincludes\class-oxtilofastcal-manager.php:127
actioninitincludes\class-oxtilofastcal-plugin.php:50
actioninitincludes\class-oxtilofastcal-plugin.php:53
actionplugins_loadedincludes\class-oxtilofastcal-plugin.php:56
actionwp_enqueue_scriptsincludes\class-oxtilofastcal-shortcode.php:43
actioninitoxtilo-fast-cal.php:52
actionplugins_loadedoxtilo-fast-cal.php:70

Scheduled Events 1

oxtilofastcal_cleanup_daily
Maintenance & Trust

Oxtilo Fast Cal Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedUnknown
PHP min version7.4
Downloads126

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

Oxtilo Fast Cal Alternatives

MotoPress Appointment Booking

MotoPress Appointment Booking

motopress-appointment-lite

A
100

MotoPress Appointment Booking makes it easy for time and service-based businesses to accept bookings and appointments online.

2K No CVEs
SimplyBook.me – Booking and reservations calendar

SimplyBook.me – Booking and reservations calendar

simplybook

A
100

Simply add a booking calendar to your site to schedule bookings, reservations, appointments and to collect payments.

20K No CVEs
Appointment Hour Booking – Booking Calendar

Appointment Hour Booking – Booking Calendar

appointment-hour-booking

A
92

Appointment Hour Booking is a plugin for creating booking forms for appointments with a start time and a defined duration within a schedule.

10K 11 CVEs
Booking Package

Booking Package

booking-package

A
92

Booking Package is the simplest solution for integrating an online appointment booking calendar system and event calendar into your WordPress website.

10K 6 CVEs
Easy Appointments

Easy Appointments

easy-appointments

A
96

Add Booking system to your WordPress site and manage Appointments with ease. Extremely flexible time management and custom email notifications.

10K 7 CVEs
Developer Profile

Oxtilo Fast Cal Developer Profile

Slawomir Klimek oxtilo

1 plugin · 0 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Oxtilo Fast Cal

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/oxtilo-fast-cal/assets/oxtilofastcal-admin.css/wp-content/plugins/oxtilo-fast-cal/assets/oxtilofastcal-admin.js
Script Paths
/wp-content/plugins/oxtilo-fast-cal/assets/oxtilofastcal-admin.js
Version Parameters
oxtilo-fast-cal/assets/oxtilofastcal-admin.css?ver=oxtilo-fast-cal/assets/oxtilofastcal-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
oxtilofastcal-admin-wrap
Data Attributes
data-nonce="wp_create_nonce( 'oxtilofastcal_generate_calendar_token' )"data-nonce="wp_create_nonce( 'oxtilofastcal_test_ics_feed' )"data-nonce="wp_create_nonce( 'oxtilofastcal_diagnostics' )"
JS Globals
oxtilofastcalAdmin
REST Endpoints
/wp-json/oxtilofastcal/v1/booking/wp-json/oxtilofastcal/v1/booking/(?P<id>\d+)/wp-json/oxtilofastcal/v1/availability/wp-json/oxtilofastcal/v1/availability/(?P<id>\d+)/wp-json/oxtilofastcal/v1/booking-meta/wp-json/oxtilofastcal/v1/settings/wp-json/oxtilofastcal/v1/templates/wp-json/oxtilofastcal/v1/template/(?P<id>\d+)/wp-json/oxtilofastcal/v1/diagnostics/wp-json/oxtilofastcal/v1/feed
Shortcode Output
[oxtilo_fast_cal][oxtilo_fast_cal_booking]
FAQ

Frequently Asked Questions about Oxtilo Fast Cal