Planaday API Security & Risk Analysis

wordpress.org/plugins/planaday-api

Toon het cursusaanbod vanuit Planaday op jouw website met deze Wordpress-plugin Dit kan middels een lijst, op cursussoort of alle cursussen en in vers …

20 active installs v11.7 PHP + WP + Updated Jun 12, 2025
apicoursecursusplanadayplanning
91
A · Safe
CVEs total1
Unpatched0
Last CVEDec 11, 2024
Safety Verdict

Is Planaday API Safe to Use in 2026?

Generally Safe

Score 91/100

Planaday API has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Dec 11, 2024Updated 1yr ago
Risk Assessment

The planaday-api plugin exhibits a mixed security posture. While it demonstrates good practices by largely utilizing prepared statements for SQL queries and generally performing output escaping, there are significant concerns revealed by the taint analysis. The fact that 100% of the analyzed flows have unsanitized paths, with two identified as high severity, points to potential vulnerabilities where user-supplied data could be manipulated to execute unintended actions. The plugin's history of one medium severity Cross-Site Scripting (XSS) vulnerability, though currently patched, indicates a past tendency for input sanitization issues. The absence of unprotected entry points (AJAX, REST API) is a positive sign, but the 18 total flows with unsanitized paths represent a substantial risk. Overall, the plugin has strengths in its SQL handling and escaping practices, but the high number of unsanitized taint flows and past XSS vulnerability warrant careful consideration and ongoing monitoring.

Key Concerns

  • High severity taint flows found
  • All analyzed flows have unsanitized paths
  • Past medium severity XSS vulnerability
  • Low output escaping percentage
Vulnerabilities
1 published

Planaday API Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2024-11804medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Planaday API <= 11.4 - Reflected Cross-Site Scripting

Dec 11, 2024 Patched in 11.5 (1d)
Version History

Planaday API Release Timeline

v11.7Current
v11.6
v11.5
v11.41 CVE
v11.21 CVE
v11.11 CVE
v11.01 CVE
v10.61 CVE
v10.51 CVE
v10.41 CVE
v10.31 CVE
v10.21 CVE
v10.11 CVE
v9.111 CVE
v9.101 CVE
v9.91 CVE
v9.81 CVE
v9.71 CVE
v9.61 CVE
v9.51 CVE
Code Analysis
Analyzed Apr 16, 2026

Planaday API Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
48 prepared
Unescaped Output
262
374 escaped
Nonce Checks
3
Capability Checks
2
File Operations
0
External Requests
1
Bundled Libraries
0

SQL Query Safety

98% prepared49 total queries

Output Escaping

59% escaped636 total outputs
Data Flows · Security
18 unsanitized

Data Flow Analysis

18 flows18 with unsanitized paths
planaday_api_admin_page (src/api/classes/settings/settings_general.php:184)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Planaday API Attack Surface

Entry Points15
Unprotected0

Shortcodes 15

[pad-name] src/api/classes/shortcodes.php:52
[pad-dates] src/api/classes/shortcodes.php:53
[pad-dates-locations] src/api/classes/shortcodes.php:54
[pad-price] src/api/classes/shortcodes.php:56
[pad-price-remark] src/api/classes/shortcodes.php:57
[pad-button] src/api/classes/shortcodes.php:59
[pad-bookingform] src/api/classes/shortcodes.php:60
[pad-courseid] src/api/classes/shortcodes.php:61
[bookingform] src/api/classes/shortcodes.php:62
[courselisttable] src/api/classes/shortcodes.php:63
[courselistlist] src/api/classes/shortcodes.php:67
[courselistblock] src/api/classes/shortcodes.php:71
[courselistblock2] src/api/classes/shortcodes.php:75
[coursesearch] src/api/classes/shortcodes.php:79
[coursecalendar] src/api/classes/shortcodes.php:81
WordPress Hooks 18
actionplugins_loadedindex.php:46
actioninitindex.php:47
actioninitindex.php:48
actionwp_enqueue_scriptsindex.php:49
actionwidgets_initindex.php:50
actionadmin_enqueue_scriptsindex.php:51
actionpaytium_after_pt_show_payment_detailsindex.php:52
actionwp_enqueue_scriptsindex.php:53
actionplugins_loadedindex.php:54
actionadmin_noticesindex.php:55
actionwpindex.php:63
actionpad_cron_update_all_coursesindex.php:64
filterquery_varssrc/api/api.php:57
filterrewrite_rules_arraysrc/api/api.php:58
actionsave_bookingsrc/api/api.php:60
actionadmin_menusrc/api/api.php:65
actionadmin_initsrc/api/api.php:66
actionwidgets_initsrc/api/classes/settings/settings_welcome.php:25

Scheduled Events 1

pad_cron_update_all_courses
Maintenance & Trust

Planaday API Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedJun 12, 2025
PHP min version
Downloads9K

Community Trust

Rating0/100
Number of ratings0
Active installs20
Developer Profile

Planaday API Developer Profile

Planaday Developers

2 plugins · 30 total installs

97
trust score
Avg Security Score
96/100
Avg Patch Time
1 days
View full developer profile
Detection Fingerprints

How We Detect Planaday API

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/planaday-api/assets/logobreed.png/wp-content/plugins/planaday-api/assets/css/planaday-fa.css/wp-content/plugins/planaday-api/assets/css/fullcalendar.min.css/wp-content/plugins/planaday-api/assets/css/planaday-style.css/wp-content/plugins/planaday-api/assets/css/parsley.css/wp-content/plugins/planaday-api/assets/js/fontawesome.min.js/wp-content/plugins/planaday-api/assets/js/moment.min.js/wp-content/plugins/planaday-api/assets/js/fullcalendar.min.js+9 more
Script Paths
/wp-content/plugins/planaday-api/assets/js/fontawesome.min.js/wp-content/plugins/planaday-api/assets/js/moment.min.js/wp-content/plugins/planaday-api/assets/js/fullcalendar.min.js/wp-content/plugins/planaday-api/assets/js/parsley.min.js/wp-content/plugins/planaday-api/assets/js/editor.js/wp-content/plugins/planaday-api/assets/codemirror/csslint.js+4 more
Version Parameters
/planaday-api/assets/css/planaday-fa.css?ver=/planaday-api/assets/css/fullcalendar.min.css?ver=/planaday-api/assets/css/planaday-style.css?ver=/planaday-api/assets/css/parsley.css?ver=

HTML / DOM Fingerprints

CSS Classes
planaday-api
FAQ

Frequently Asked Questions about Planaday API