WP-Safety

Smart Appointment & Booking Security & Risk Analysis

wordpress.org/plugins/smart-appointment-booking

The Smart Appointment & Booking all-in-one plugin offers a seamless experience by providing customizable forms, email notifications, redirect users

0 active installs v1.0.8 PHP + WP 5.9+ Updated Jan 30, 2026
appointmentbookingbooking-appointmentsformsscheduling-form
99
A · Safe
CVEs total1
Unpatched0
Last CVEFeb 3, 2026
Download
Safety Verdict

Is Smart Appointment & Booking Safe to Use in 2026?

Generally Safe

Score 99/100

Smart Appointment & Booking has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Feb 3, 2026Updated 2mo ago
Risk Assessment

The "smart-appointment-booking" plugin v1.0.8 presents a mixed security posture. While it demonstrates good practices such as 100% prepared SQL statements and a high percentage of properly escaped output, the presence of unprotected AJAX handlers is a significant concern. These four entry points lack authentication checks, potentially allowing unauthenticated users to trigger unintended actions or expose sensitive information.

The taint analysis indicates a limited number of flows, with no critical or high severity issues identified, which is a positive sign. However, three flows with unsanitized paths suggest potential vulnerabilities that might be exploited if an attacker can control the input. The vulnerability history shows one known medium severity CVE, which has been patched, indicating that past issues have been addressed. However, the pattern of a past Cross-site Scripting (XSS) vulnerability warrants continued vigilance.

Overall, the plugin has strengths in its database query handling and output sanitization. The primary weaknesses lie in the unprotected AJAX endpoints and the potential for unsanitized input, which could be exploited to execute arbitrary code or cause other security issues. The lack of critical findings in taint analysis and the absence of unpatched CVEs are encouraging, but the identified attack surface without proper authentication requires immediate attention.

Key Concerns

  • Unprotected AJAX handlers (4)
  • Flows with unsanitized paths (3)
  • Bundled outdated library (jQuery v3.7.0)
  • Total known CVEs: 1 (medium)
Vulnerabilities
1

Smart Appointment & Booking Security Vulnerabilities

CVEs by Year

1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-0742medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Smart Appointment & Booking <= 1.0.7 - Authenticated (Subscriber+) Stored Cross-Site Scripting via saab_save_form_data AJAX Action

Feb 3, 2026 Patched in 1.0.8 (1d)
Code Analysis
Analyzed Mar 17, 2026

Smart Appointment & Booking Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
67
598 escaped
Nonce Checks
23
Capability Checks
2
File Operations
0
External Requests
0
Bundled Libraries
2

Bundled Libraries

DataTablesjQuery3.7.0

Output Escaping

90% escaped665 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

9 flows3 with unsanitized paths
saab_render_notification_settings_page (inc\admin\class.saab.admin.action.php:573)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Smart Appointment & Booking Attack Surface

Entry Points32
Unprotected4

AJAX Handlers 28

authwp_ajax_saab_save_form_datainc\admin\class.saab.admin.action.php:28
authwp_ajax_saab_preiveiw_timeslotinc\admin\class.saab.admin.action.php:32
noprivwp_ajax_saab_preiveiw_timeslotinc\admin\class.saab.admin.action.php:33
authwp_ajax_saab_save_new_notificationinc\admin\class.saab.admin.action.php:35
noprivwp_ajax_saab_save_new_notificationinc\admin\class.saab.admin.action.php:36
authwp_ajax_delete_notification_indexesinc\admin\class.saab.admin.action.php:41
authwp_ajax_saab_update_notification_stateinc\admin\class.saab.admin.action.php:43
noprivwp_ajax_saab_update_notification_stateinc\admin\class.saab.admin.action.php:44
authwp_ajax_saab_save_user_mappinginc\admin\class.saab.admin.action.php:46
noprivwp_ajax_saab_save_user_mappinginc\admin\class.saab.admin.action.php:47
authwp_ajax_saab_save_confirmationinc\admin\class.saab.admin.action.php:49
noprivwp_ajax_saab_save_confirmationinc\admin\class.saab.admin.action.php:50
authwp_ajax_saab_update_form_entry_datainc\admin\class.saab.admin.action.php:52
noprivwp_ajax_saab_update_form_entry_datainc\admin\class.saab.admin.action.php:53
authwp_ajax_saab_get_paginated_items_for_waiting_listinc\admin\class.saab.admin.action.php:59
noprivwp_ajax_saab_get_paginated_items_for_waiting_listinc\admin\class.saab.admin.action.php:60
authwp_ajax_saab_booking_form_submissioninc\front\class.saab.front.action.php:23
noprivwp_ajax_saab_booking_form_submissioninc\front\class.saab.front.action.php:24
authwp_ajax_saab_save_form_submissioninc\front\class.saab.front.action.php:26
noprivwp_ajax_saab_save_form_submissioninc\front\class.saab.front.action.php:27
authwp_ajax_saab_action_reload_calenderinc\front\class.saab.front.action.php:29
noprivwp_ajax_saab_action_reload_calenderinc\front\class.saab.front.action.php:30
authwp_ajax_saab_action_display_available_timeslotsinc\front\class.saab.front.action.php:32
noprivwp_ajax_saab_action_display_available_timeslotsinc\front\class.saab.front.action.php:33
authwp_ajax_saab_cancel_bookinginc\front\class.saab.front.action.php:39
noprivwp_ajax_saab_cancel_bookinginc\front\class.saab.front.action.php:40
authwp_ajax_saab_cancel_booking_shortcodeinc\front\class.saab.front.action.php:43
noprivwp_ajax_saab_cancel_booking_shortcodeinc\front\class.saab.front.action.php:44

Shortcodes 4

[saab_booking_form] inc\front\class.saab.front.action.php:38
[saab_confirm_booking_cancellation] inc\front\class.saab.front.action.php:42
[saab_summary] inc\front\class.saab.front.action.php:47
[saab_add_to_cal] inc\front\class.saab.front.action.php:48
WordPress Hooks 26
actioninitinc\admin\class.saab.admin.action.php:23
actionadmin_enqueue_scriptsinc\admin\class.saab.admin.action.php:24
actionadmin_enqueue_scriptsinc\admin\class.saab.admin.action.php:25
actionadmin_menuinc\admin\class.saab.admin.action.php:26
actionmanage_saab_form_builder_posts_custom_columninc\admin\class.saab.admin.action.php:29
actionmanage_manage_entries_posts_custom_columninc\admin\class.saab.admin.action.php:30
actioninitinc\admin\class.saab.admin.action.php:38
actionadmin_enqueue_scriptsinc\admin\class.saab.admin.action.php:39
actionrestrict_manage_postsinc\admin\class.saab.admin.action.php:55
actionpre_get_postsinc\admin\class.saab.admin.action.php:56
actionpost_submitbox_misc_actionsinc\admin\class.saab.admin.action.php:58
actionplugins_loadedinc\admin\class.saab.admin.action.php:1781
actionadd_meta_boxesinc\admin\class.saab.admin.fieldmeta.php:22
actionsave_postinc\admin\class.saab.admin.fieldmeta.php:23
actionsave_postinc\admin\class.saab.admin.fieldmeta.php:24
actionplugins_loadedinc\admin\class.saab.admin.fieldmeta.php:2228
filtermanage_saab_form_builder_posts_columnsinc\admin\class.saab.admin.filter.php:23
filtermanage_manage_entries_posts_columnsinc\admin\class.saab.admin.filter.php:24
filterpost_row_actionsinc\admin\class.saab.admin.filter.php:25
actionplugins_loadedinc\admin\class.saab.admin.filter.php:74
actionsetup_themeinc\class.saab.php:32
actionplugins_loadedinc\class.saab.php:33
actionwp_enqueue_scriptsinc\front\class.saab.front.action.php:35
actionwp_enqueue_scriptsinc\front\class.saab.front.action.php:36
actionsaab_get_available_seats_per_timeslotinc\front\class.saab.front.action.php:46
actionplugins_loadedinc\front\class.saab.front.action.php:2807
Maintenance & Trust

Smart Appointment & Booking Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 30, 2026
PHP min version
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

Smart Appointment & Booking Alternatives

Appointments Booking for WPForms

Appointments Booking for WPForms

appointment-booking-for-wpforms

A
100

Schedule appointments within WPForms.

20 No CVEs
Gravity Forms Booking – Appointment Booking & Scheduling Addon for Gravity Forms

Gravity Forms Booking – Appointment Booking & Scheduling Addon for Gravity Forms

appointment-and-booking-for-gravity-forms

A
100

Gravity Forms Booking is a Gravity Forms-powered appointment booking & scheduling plugin. It turns Gravity Forms into a complete appointment booki &hellip;

0 No CVEs
LatePoint – Calendar Booking Plugin for Appointments and Events

LatePoint – Calendar Booking Plugin for Appointments and Events

latepoint

F
20

Optimize your appointment scheduling with our plugin. Sync calendars, automate reminders, and keep your bookings organized.

100K 2 unpatched
Booking for Appointments and Events Calendar – Amelia

Booking for Appointments and Events Calendar – Amelia

ameliabooking

A
88

Amelia is a powerful booking plugin for appointments and events. Manage scheduling, calendars, and availability with an all-in-one booking system.

90K 25 CVEs
Online Scheduling and Appointment Booking System – Bookly

Online Scheduling and Appointment Booking System – Bookly

bookly-responsive-appointment-booking-tool

A
88

Appointment booking system for WordPress — schedule appointments, manage calendars, send reminders, take payments. Start booking today!

70K 9 CVEs
Developer Profile

Smart Appointment & Booking Developer Profile

ZealousWeb

18 plugins · 7K total installs

87
trust score
Avg Security Score
98/100
Avg Patch Time
88 days
View full developer profile
Detection Fingerprints

How We Detect Smart Appointment & Booking

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/smart-appointment-booking/assets/css/admin.min.css/wp-content/plugins/smart-appointment-booking/assets/css/admin.css/wp-content/plugins/smart-appointment-booking/assets/css/font-awesome.css/wp-content/plugins/smart-appointment-booking/assets/css/formio/formio.full.min.css/wp-content/plugins/smart-appointment-booking/assets/css/boostrap/boostrap.min.css/wp-content/plugins/smart-appointment-booking/assets/css/boostrap/jquery.dataTables.min.css/wp-content/plugins/smart-appointment-booking/assets/js/boostrap/jquery.dataTables.min.js/wp-content/plugins/smart-appointment-booking/assets/js/boostrap/dataTables.boostrap5.min.js+2 more
Version Parameters
smart-appointment-booking/assets/css/admin.min.css?ver=smart-appointment-booking/assets/css/admin.css?ver=smart-appointment-booking/assets/css/font-awesome.css?ver=smart-appointment-booking/assets/css/formio/formio.full.min.css?ver=smart-appointment-booking/assets/css/boostrap/boostrap.min.css?ver=smart-appointment-booking/assets/css/boostrap/jquery.dataTables.min.css?ver=smart-appointment-booking/assets/js/boostrap/jquery.dataTables.min.js?ver=smart-appointment-booking/assets/js/boostrap/dataTables.boostrap5.min.js?ver=smart-appointment-booking/assets/js/boostrap/popper.min.js?ver=smart-appointment-booking/assets/js/boostrap/boostrap.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
saab-booking-wrapper
HTML Comments
Start of CodeSAAB_Admin_Action ClassThe SAAB_Admin_Action Class
Data Attributes
data-nonce
JS Globals
saab_ajax_objectSAAB_Admin_Action
REST Endpoints
/wp-json/saab/v1/forms/wp-json/saab/v1/appointments
Shortcode Output
[saab_booking_form][saab_appointments_list]
FAQ

Frequently Asked Questions about Smart Appointment & Booking