WP-Safety

Truebooker – Appointment Booking and Scheduler System Security & Risk Analysis

wordpress.org/plugins/truebooker-appointment-booking

Book appointments, create booking with Truebooker. Easily create appointments, manage time and dates and send out emails.

600 active installs v1.1.5 PHP 7.4+ WP 6.5+ Updated Mar 7, 2026
appointmentappointment-bookingbookingbooking-calendarscheduling
89
A · Safe
CVEs total5
Unpatched0
Last CVEMar 30, 2026
Plugin page Download
Safety Verdict

Is Truebooker – Appointment Booking and Scheduler System Safe to Use in 2026?

Generally Safe

Score 89/100

Truebooker – Appointment Booking and Scheduler System has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Mar 30, 2026Updated 28d ago
Risk Assessment

The "truebooker-appointment-booking" plugin version 1.1.5 presents a mixed security posture. While the code analysis indicates a positive trend in using prepared statements for SQL queries and a good number of nonce checks, there are significant concerns regarding its attack surface. A substantial number of AJAX handlers (8 out of 13) lack proper authentication checks, creating direct entry points for potential attackers. The absence of capability checks is also a notable weakness.

The vulnerability history reveals a pattern of critical and medium severity vulnerabilities, including missing authorization, CSRF, and SQL injection. The fact that the last vulnerability was in 2025 suggests that while recent issues might have been addressed, the plugin has a history of introducing security flaws. The presence of critical vulnerabilities in the past, even if currently patched, warrants caution and highlights potential areas of recurring weakness in the codebase.

Overall, while the plugin demonstrates some good practices like prepared statements and nonce checks, the large number of unprotected AJAX endpoints and its history of critical vulnerabilities mean users should exercise caution. The lack of capability checks on its entry points is a significant security gap that needs immediate attention. A thorough security audit focusing on authorization and input validation for the unprotected AJAX handlers is highly recommended.

Key Concerns

  • High number of unprotected AJAX handlers
  • No capability checks found
  • History of 1 critical CVE (currently unpatched)
  • History of 3 medium CVEs
  • Low percentage of properly escaped output
Vulnerabilities
5

Truebooker – Appointment Booking and Scheduler System Security Vulnerabilities

CVEs by Year

2 CVEs in 2024
2024
2 CVEs in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
4

5 total CVEs

CVE-2026-1797medium · 5.3Missing Authorization

Truebooker - Appointment Booking and Scheduler Plugin <= 1.1.4 - Sensitive Information Exposure via Views Files

Mar 30, 2026 Patched in 1.1.5 (1d)
CVE-2025-67581medium · 5.3Missing Authorization

TrueBooker <= 1.1.0 - Missing Authorization

Dec 15, 2025 Patched in 1.1.1 (6d)
CVE-2025-47543medium · 4.3Cross-Site Request Forgery (CSRF)

TrueBooker <= 1.0.7 - Cross-Site Request Forgery

May 7, 2025 Patched in 1.0.8 (7d)
CVE-2024-6924critical · 10Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

TrueBooker <= 1.0.3 - Unauthenticated SQL Injection

Aug 10, 2024 Patched in 1.0.4 (46d)
CVE-2024-6925medium · 4.3Cross-Site Request Forgery (CSRF)

TrueBooker <= 1.0.2 - Cross-Site Request Forgery to Settings Update

Aug 10, 2024 Patched in 1.0.3 (52d)
Code Analysis
Analyzed Mar 16, 2026

Truebooker – Appointment Booking and Scheduler System Code Analysis

Dangerous Functions
0
Raw SQL Queries
18
56 prepared
Unescaped Output
181
391 escaped
Nonce Checks
24
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

76% prepared74 total queries

Output Escaping

68% escaped572 total outputs
Data Flows
All sanitized

Data Flow Analysis

8 flows
truebooker_appointment_remove_data (main\truebooker-appointment.php:155)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
8 unprotected

Truebooker – Appointment Booking and Scheduler System Attack Surface

Entry Points13
Unprotected8

AJAX Handlers 12

authwp_ajax_truebooker_category_insertmain\functions-ajax.php:5
authwp_ajax_truebooker_service_insertmain\functions-ajax.php:15
authwp_ajax_truebooker_setting_insertmain\functions-ajax.php:25
authwp_ajax_truebooker_user_insertmain\functions-ajax.php:34
authwp_ajax_truebooker_service_namemain\functions-ajax.php:42
authwp_ajax_truebooker_service_pricemain\functions-ajax.php:50
authwp_ajax_truebooker_service_refreshmain\functions-ajax.php:58
authwp_ajax_truebooker_category_refreshmain\functions-ajax.php:66
authwp_ajax_truebooker_appointment_booking_actionmain\truebooker-main.php:341
noprivwp_ajax_truebooker_appointment_booking_actionmain\truebooker-main.php:342
authwp_ajax_truebooker_get_service_capacitymain\views\bookingform-frontend.php:182
noprivwp_ajax_truebooker_get_service_capacitymain\views\bookingform-frontend.php:183

Shortcodes 1

[booking_form] main\views\bookingform-frontend.php:178
WordPress Hooks 6
actionadmin_menumain\truebooker-main.php:191
actionadmin_enqueue_scriptstruebooker-appointment-booking.php:85
actionadmin_enqueue_scriptstruebooker-appointment-booking.php:103
actionwp_enqueue_scriptstruebooker-appointment-booking.php:132
filterbody_classtruebooker-appointment-booking.php:154
filterplugin_row_metatruebooker-appointment-booking.php:171
Maintenance & Trust

Truebooker – Appointment Booking and Scheduler System Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 7, 2026
PHP min version7.4
Downloads10K

Community Trust

Rating100/100
Number of ratings14
Active installs600
Alternatives

Truebooker – Appointment Booking and Scheduler System Alternatives

Easy Appointment Booking & Scheduling System – Webba Booking Calendar

Easy Appointment Booking & Scheduling System – Webba Booking Calendar

webba-booking-lite

A
95

Free Appointment Booking Plugin 📅 Unlimited appointments, booking management, calendar sync, notifications, 5* support = powerful booking system!

3K 7 CVEs
Timetics – Appointment Booking Calendar & Scheduling System

Timetics – Appointment Booking Calendar & Scheduling System

timetics

A
86

Appointment booking system for Professionals — schedule, manage calendars, accept payments, send reminders & automate bookings easily.

2K 9 CVEs
Appointment Bookings for Zoom GoogleMeet and more – Wappointment

Appointment Bookings for Zoom GoogleMeet and more – Wappointment

wappointment

C
69

Get clients to quickly book a meeting with you by Zoom, GoogleMeet, phone or at your office

2K 1 unpatched
Cal.com

Cal.com

cal-com

C
64

Embed Cal.com booking calendar in WordPress.

1K 1 unpatched
Easy Booked – Appointment Booking and Scheduling Management System for WordPress

Easy Booked – Appointment Booking and Scheduling Management System for WordPress

easy-booked

A
91

A comprehensive appointment booking calendar and scheduling management system for WordPress.

100 1 CVE
Developer Profile

Truebooker – Appointment Booking and Scheduler System Developer Profile

themetechmount

2 plugins · 610 total installs

91
trust score
Avg Security Score
95/100
Avg Patch Time
22 days
View full developer profile
Detection Fingerprints

How We Detect Truebooker – Appointment Booking and Scheduler System

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/truebooker-appointment-booking/assets/js/truebooker_custom.js/wp-content/plugins/truebooker-appointment-booking/assets/js/bootstrap.js/wp-content/plugins/truebooker-appointment-booking/assets/css/truebooker_variables.css/wp-content/plugins/truebooker-appointment-booking/assets/css/animate.css/wp-content/plugins/truebooker-appointment-booking/assets/js/jquery.timepicker.min.js/wp-content/plugins/truebooker-appointment-booking/assets/js/intlTelInput.min.js/wp-content/plugins/truebooker-appointment-booking/assets/js/utils.js/wp-content/plugins/truebooker-appointment-booking/assets/css/intlTelInput.css+8 more
Script Paths
/wp-content/plugins/truebooker-appointment-booking/assets/js/truebooker_custom.js/wp-content/plugins/truebooker-appointment-booking/assets/js/bootstrap.js/wp-content/plugins/truebooker-appointment-booking/assets/js/jquery.timepicker.min.js/wp-content/plugins/truebooker-appointment-booking/assets/js/intlTelInput.min.js/wp-content/plugins/truebooker-appointment-booking/assets/js/utils.js/wp-content/plugins/truebooker-appointment-booking/assets/js/country.js+3 more
Version Parameters
/wp-content/plugins/truebooker-appointment-booking/assets/css/truebooker_variables.css?ver=/wp-content/plugins/truebooker-appointment-booking/assets/css/animate.css?ver=/wp-content/plugins/truebooker-appointment-booking/assets/css/intlTelInput.css?ver=/wp-content/plugins/truebooker-appointment-booking/assets/css/truebooker_css.css?ver=/wp-content/plugins/truebooker-appointment-booking/assets/css/truebooker_front.css?ver=/wp-content/plugins/truebooker-appointment-booking/assets/css/truebooker_variables.css?ver=/wp-content/plugins/truebooker-appointment-booking/assets/css/bootstrap.css?ver=

HTML / DOM Fingerprints

CSS Classes
truebookertruebooker-booking-formtruebooker-input-grouptruebooker-form-controltruebooker-submit-buttontruebooker-calendartruebooker-timepickertruebooker-datetimepicker
HTML Comments
<!-- Booking Form Start --><!-- Booking Form End --><!-- Truebooker booking form section -->
Data Attributes
data-truebooker-form-iddata-truebooker-target-divdata-truebooker-ajax-urldata-truebooker-nonce
JS Globals
truebookerPluginDataAdmintruebookerPluginData
REST Endpoints
/wp-json/truebooker/v1/bookings/wp-json/truebooker/v1/services/wp-json/truebooker/v1/appointments
Shortcode Output
[booking_form][booking_form style="default"]
FAQ

Frequently Asked Questions about Truebooker – Appointment Booking and Scheduler System