WP-Safety

Easy Appointment Booking & Scheduling System – Webba Booking Calendar Security & Risk Analysis

wordpress.org/plugins/webba-booking-lite

Free Appointment Booking Plugin 📅 Unlimited appointments, booking management, calendar sync, notifications, 5* support = powerful booking system!

3K active installs v6.3.12 PHP 7.4+ WP 5.6+ Updated Mar 6, 2026
appointment-bookingappointmentsbooking-calendarbooking-systemscheduling
95
A · Safe
CVEs total7
Unpatched0
Last CVEDec 15, 2025
Plugin page Download
Safety Verdict

Is Easy Appointment Booking & Scheduling System – Webba Booking Calendar Safe to Use in 2026?

Generally Safe

Score 95/100

Easy Appointment Booking & Scheduling System – Webba Booking Calendar has a strong security track record. Known vulnerabilities have been patched promptly.

7 known CVEsLast CVE: Dec 15, 2025Updated 28d ago
Risk Assessment

The webba-booking-lite plugin version 6.3.12 exhibits a mixed security posture. While it demonstrates good practices in SQL query sanitization (83% prepared statements) and a significant number of capability checks (53), there are notable areas of concern. The presence of 17 unprotected entry points, including 15 AJAX handlers and 2 REST API routes without permission callbacks, represents a significant attack surface that could be exploited by unauthenticated users. The taint analysis reveals 2 high-severity flows with unsanitized paths, indicating potential vulnerabilities that could lead to data manipulation or leakage if exploited. The vulnerability history, while showing no currently unpatched CVEs, is concerning due to the prevalence of Cross-site Scripting (XSS) and Missing Authorization vulnerabilities in the past. This pattern suggests a recurring need for careful input validation and authorization checks. Overall, the plugin has strengths in code sanitization but needs significant improvements in access control and protection of its exposed entry points to achieve a robust security posture.

Key Concerns

  • 15 AJAX handlers without auth checks
  • 2 REST API routes without permission callbacks
  • 2 high severity taint flows
  • Bundled Freemius v1.0
  • Bundled jQuery v1.11.0
  • 68% of outputs properly escaped
Vulnerabilities
7

Easy Appointment Booking & Scheduling System – Webba Booking Calendar Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2023
2023
1 CVE in 2024
2024
4 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
7

7 total CVEs

CVE-2025-66530medium · 4.3Missing Authorization

Webba Booking <= 6.2.1 - Missing Authorization

Dec 15, 2025 Patched in 6.2.2 (6d)
CVE-2025-54729medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Webba Booking <= 6.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Aug 14, 2025 Patched in 6.0.6 (6d)
CVE-2025-54040medium · 5.3Missing Authorization

Webba Booking <= 5.1.20 - Missing Authorization

Jul 16, 2025 Patched in 5.1.22 (6d)
CVE-2025-54036medium · 4.3Cross-Site Request Forgery (CSRF)

Webba Booking <= 5.1.20 - Cross-Site Request Forgery

Jul 16, 2025 Patched in 5.1.21 (6d)
CVE-2024-8432medium · 4.3Missing Authorization

Appointment & Event Booking Calendar Plugin – Webba Booking <= 5.0.48 - Missing Authorization to Authenticated (Subscriber+) CSS Settings Update

Sep 23, 2024 Patched in 5.0.50 (1d)
CVE-2023-51354medium · 4.3Cross-Site Request Forgery (CSRF)

Webba Booking <= 4.5.33 - Cross-Site Request Forgery

Dec 26, 2023 Patched in 5.0 (28d)
CVE-2021-36847medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Webba Booking <= 4.2.21 - Authenticated (Admin+) Stored Cross-Site Scripting

Apr 15, 2022 Patched in 4.2.22 (648d)
Code Analysis
Analyzed Mar 16, 2026

Easy Appointment Booking & Scheduling System – Webba Booking Calendar Code Analysis

Dangerous Functions
0
Raw SQL Queries
42
200 prepared
Unescaped Output
353
742 escaped
Nonce Checks
19
Capability Checks
53
File Operations
10
External Requests
3
Bundled Libraries
3

Bundled Libraries

Freemius1.0jQuery1.11.0TinyMCE

SQL Query Safety

83% prepared242 total queries

Output Escaping

68% escaped1095 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

11 flows3 with unsanitized paths
wbk_create_multiple_bookings (includes\backend\class_wbk_backend_schedule.php:40)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
17 unprotected

Easy Appointment Booking & Scheduling System – Webba Booking Calendar Attack Surface

Entry Points76
Unprotected17

AJAX Handlers 31

authwp_ajax_wbk_dismiss_noticeincludes\backend\class-wbk-admin-notices.php:32
authwp_ajax_wbk_save_optionsincludes\backend\class_wbk_backend_options.php:25
authwp_ajax_wbk_schedule_loadincludes\backend\class_wbk_backend_schedule.php:12
authwp_ajax_wbk_schedule_load_fullcalendarincludes\backend\class_wbk_backend_schedule.php:13
authwp_ajax_wbk_lock_dayincludes\backend\class_wbk_backend_schedule.php:17
authwp_ajax_wbk_unlock_dayincludes\backend\class_wbk_backend_schedule.php:18
authwp_ajax_wbk_lock_timeincludes\backend\class_wbk_backend_schedule.php:19
authwp_ajax_wbk_unlock_timeincludes\backend\class_wbk_backend_schedule.php:20
authwp_ajax_wbk_prepare_appointmentincludes\backend\class_wbk_backend_schedule.php:21
authwp_ajax_wbk_add_appointment_backendincludes\backend\class_wbk_backend_schedule.php:25
authwp_ajax_wbk_view_appointmentincludes\backend\class_wbk_backend_schedule.php:29
authwp_ajax_wbk_create_multiple_bookingsincludes\backend\class_wbk_backend_schedule.php:30
authwp_ajax_wbk_delete_appointmentincludes\backend\class_wbk_backend_schedule.php:34
authwp_ajax_wbk_calculate_amountsincludes\class-wbk-request-manager.php:187
noprivwp_ajax_wbk_calculate_amountsincludes\class-wbk-request-manager.php:188
authwp_ajax_wbk_search_timeincludes\class-wbk-request-manager.php:189
noprivwp_ajax_wbk_search_timeincludes\class-wbk-request-manager.php:190
authwp_ajax_wbk-render-daysincludes\class-wbk-request-manager.php:191
noprivwp_ajax_wbk-render-daysincludes\class-wbk-request-manager.php:192
authwp_ajax_wbk_render_booking_formincludes\class-wbk-request-manager.php:193
noprivwp_ajax_wbk_render_booking_formincludes\class-wbk-request-manager.php:194
authwp_ajax_wbk_bookincludes\class-wbk-request-manager.php:195
noprivwp_ajax_wbk_bookincludes\class-wbk-request-manager.php:196
authwp_ajax_wbk_prepare_paymentincludes\class-wbk-request-manager.php:197
noprivwp_ajax_wbk_prepare_paymentincludes\class-wbk-request-manager.php:198
authwp_ajax_wbk_cancel_appointmentincludes\class-wbk-request-manager.php:199
noprivwp_ajax_wbk_cancel_appointmentincludes\class-wbk-request-manager.php:200
authwp_ajax_wbk_schedule_tools_actionincludes\class-wbk-request-manager.php:201
authwp_ajax_wbk_report_errorincludes\class-wbk-request-manager.php:202
noprivwp_ajax_wbk_report_errorincludes\class-wbk-request-manager.php:203
authwp_ajax_wbk_backend_hide_noticeincludes\class-wbk-request-manager.php:204

REST API Routes 40

GET/wp-json/webba-booking/v1/get-booking-ids-by-tokenincludes\class-wbk-request-manager.php:16
GET/wp-json/wbk/v1/get-service-list/includes\class-wbk-request-manager.php:21
POST/wp-json/wbk/v1/appointments-status-change/includes\class-wbk-request-manager.php:26
POST/wp-json/wbk/v1/resend-email/includes\class-wbk-request-manager.php:31
POST/wp-json/wbk/v1/get-wp-users/includes\class-wbk-request-manager.php:36
POST/wp-json/wbk/v1/csv-export/includes\class-wbk-request-manager.php:41
GET/wp-json/wbk/v2/get-preset/includes\class-wbk-request-manager.php:46
POST/wp-json/wbk/v2/loginincludes\class-wbk-request-manager.php:51
GET/wp-json/wbk/v2/get-user-bookingsincludes\class-wbk-request-manager.php:56
GET/wp-json/wbk/v2/get-time-slotsincludes\class-wbk-request-manager.php:61
POST/wp-json/wbk/v2/update-bookingincludes\class-wbk-request-manager.php:66
POST/wp-json/wbk/v2/delete-bookingincludes\class-wbk-request-manager.php:71
POST/wp-json/wbk/v2/get-field-options/includes\class-wbk-request-manager.php:76
GET/wp-json/wbk/v2/get-calendar-auth-data/includes\class-wbk-request-manager.php:81
GET/wp-json/wbk/v2/get-dashboard-stats/includes\class-wbk-request-manager.php:86
GET/wp-json/wbk/v2/get-cell-detail/includes\class-wbk-request-manager.php:91
POST/wp-json/wbk/v2/save-appearance/includes\class-wbk-request-manager.php:96
GET/wp-json/webba-booking/v1/get-service-availability/includes\class-wbk-request-manager.php:101
POST/wp-json/wbk/v1/get-available-time-slots-day/includes\class-wbk-request-manager.php:106
GET/wp-json/webba-booking/v1/get-service-time-slots/includes\class-wbk-request-manager.php:111
GET/wp-json/webba-booking/v1/get-form-fieldsincludes\class-wbk-request-manager.php:116
GET/wp-json/webba-booking/v1/get-payment-methodsincludes\class-wbk-request-manager.php:121
POST/wp-json/webba-booking/v1/create-bookingincludes\class-wbk-request-manager.php:126
POST/wp-json/webba-booking/v1/calculate-amounts/includes\class-wbk-request-manager.php:131
POST/wp-json/webba-booking/v1/execute-paypal-paymentincludes\class-wbk-request-manager.php:136
POST/wp-json/webba-booking/v1/execute-stripe-paymentincludes\class-wbk-request-manager.php:141
POST/wp-json/webba-booking/v1/booking-actionincludes\class-wbk-request-manager.php:146
POST/wp-json/webba-booking/v1/initialize-payment-methodincludes\class-wbk-request-manager.php:151
POST/wp-json/wbk/v2/send-test-email/includes\class-wbk-request-manager.php:156
GET/wp-json/webba-booking/v1/get-timezones/includes\class-wbk-request-manager.php:161
POST/wp-json/wbk/v2/save-options/includes\class-wbk-request-manager.php:166
GET/wp-json/wbk/v2/get-options/includes\class-wbk-request-manager.php:171
POST/wp-json/wbk/v2/remove-zoom-auth/includes\class-wbk-request-manager.php:176
POST/wp-json/wbk/v2update-user-calendar/includes\class-wbk-request-manager.php:181
POST/wp-json/webba-booking/v1/wizard/submit-initial-setupincludes\class_wbk_wizard.php:9
POST/wp-json/webba-booking/v1/wizard/submit-final-setupincludes\class_wbk_wizard.php:14
POST/wp-json/wbkdata/v1/save-item/includes\wbkdata\includes\class-controller.php:28
POST/wp-json/wbkdata/v1/duplicate-item/includes\wbkdata\includes\class-controller.php:36
GET/wp-json/wbkdata/v1/get-items/includes\wbkdata\includes\class-controller.php:44
POST/wp-json/wbkdata/v1/delete-items/includes\wbkdata\includes\class-controller.php:52

Shortcodes 5

[webba_booking] includes\class_wbk_frontend_booking.php:13
[webbabooking] includes\class_wbk_frontend_booking.php:14
[webba_email_landing] includes\class_wbk_frontend_booking.php:15
[webba_multi_service_booking] includes\class_wbk_frontend_booking.php:16
[webba_user_dashboard] includes\class_wbk_frontend_booking.php:21
WordPress Hooks 86
filterwp_mail_content_typedeprecated\class_wbk_email_notifications.php:143
actionadmin_noticesincludes\backend\class-wbk-admin-notices.php:31
actionadmin_initincludes\backend\class_wbk_backend_options.php:16
actionadmin_enqueue_scriptsincludes\backend\class_wbk_backend_options.php:18
filtermce_buttonsincludes\backend\class_wbk_backend_options.php:20
filtermce_external_pluginsincludes\backend\class_wbk_backend_options.php:21
filterwp_default_editorincludes\backend\class_wbk_backend_options.php:22
filtertiny_mce_before_initincludes\backend\class_wbk_backend_options.php:23
actionadmin_enqueue_scriptsincludes\class-wbk-assets-manager.php:19
actionadmin_enqueue_scriptsincludes\class-wbk-assets-manager.php:24
actionwp_enqueue_scriptsincludes\class-wbk-assets-manager.php:29
actionenqueue_block_editor_assetsincludes\class-wbk-assets-manager.php:30
actionwbk_booking_addedincludes\class-wbk-booking-user.php:12
actioninitincludes\class-wbk-booking-user.php:13
actionrest_api_initincludes\class-wbk-request-manager.php:15
filterwp_mail_content_typeincludes\class-wbk-request-manager.php:966
actionplugins_loadedincludes\class-wbk-rest-cache-prevention.php:24
actionlitespeed_initincludes\class-wbk-rest-cache-prevention.php:25
filterrest_send_nocache_headersincludes\class-wbk-rest-cache-prevention.php:26
filterrest_post_dispatchincludes\class-wbk-rest-cache-prevention.php:27
filtercache_enabler_bypassincludes\class-wbk-rest-cache-prevention.php:28
actionadmin_menuincludes\class_wbk_backend.php:16
actionadmin_menuincludes\class_wbk_backend.php:17
actionadmin_noticesincludes\class_wbk_backend.php:19
actionadmin_initincludes\class_wbk_backend.php:20
actionin_plugin_update_message-webba-booking/webba-booking-lite.phpincludes\class_wbk_backend.php:21
actionin_plugin_update_message-webba-booking-lite/webba-booking-lite.phpincludes\class_wbk_backend.php:27
filteradmin_body_classincludes\class_wbk_backend.php:34
actionwp_enqueue_scriptsincludes\class_wbk_frontend_booking.php:18
actionwp_loadedincludes\class_wbk_frontend_booking.php:20
actionrest_api_initincludes\class_wbk_wizard.php:8
actioninitincludes\data\class-wbk-model.php:13
filterwp_mail_content_typeincludes\processors\class-wbk-email-processor.php:99
filterwp_mail_content_typeincludes\processors\class-wbk-email-processor.php:229
filtersafe_style_cssincludes\processors\class-wbk-options-processor.php:158
filterwoocommerce_add_cart_item_dataincludes\third-parties\class_wbk_woocommerce.php:285
actioninitincludes\third-parties\class_wbk_woocommerce.php:295
actionrest_api_initincludes\wbkdata\includes\class-controller.php:27
actionrest_api_initincludes\wbkdata\includes\class-controller.php:35
actionrest_api_initincludes\wbkdata\includes\class-controller.php:43
actionrest_api_initincludes\wbkdata\includes\class-controller.php:51
filterwbkdata_property_field_validation_textincludes\wbkdata\includes\default_field_validation.php:7
filterwbkdata_property_field_validation_radioincludes\wbkdata\includes\default_field_validation.php:119
filterwbkdata_property_field_validation_checkboxincludes\wbkdata\includes\default_field_validation.php:161
filterwbkdata_property_field_validation_multicheckboxincludes\wbkdata\includes\default_field_validation.php:191
filterwbkdata_property_field_validation_selectincludes\wbkdata\includes\default_field_validation.php:253
filterwbkdata_property_field_validation_datetimeincludes\wbkdata\includes\default_field_validation.php:274
filterwbkdata_property_field_validation_dateincludes\wbkdata\includes\default_field_validation.php:298
filterwbkdata_property_field_validation_textareaincludes\wbkdata\includes\default_field_validation.php:319
filterwbkdata_property_field_validation_editorincludes\wbkdata\includes\default_field_validation.php:355
filterwbkdata_property_field_validation_date_rangeincludes\wbkdata\includes\default_field_validation.php:387
filterwbkdata_property_field_validation_wbk_google_access_tokenincludes\wbkdata\includes\default_field_validation.php:417
filterwbkdata_property_field_validation_wbk_app_custom_dataincludes\wbkdata\includes\default_field_validation.php:429
filterwbkdata_property_field_validation_wbk_dateincludes\wbkdata\includes\default_field_validation.php:442
filterwbkdata_property_field_validation_wbk_timeincludes\wbkdata\includes\default_field_validation.php:470
filterwbkdata_property_field_validation_wbk_business_hoursincludes\wbkdata\includes\default_field_validation.php:489
filterwbkdata_property_field_validation_colorincludes\wbkdata\includes\default_field_validation.php:502
filterwbkdata_property_field_validation_fileincludes\wbkdata\includes\default_field_validation.php:549
filterwbkdata_property_field_validation_wbk_form_fieldsincludes\wbkdata\includes\default_field_validation.php:570
filterwbkdata_property_field_validation_durationincludes\wbkdata\includes\default_field_validation.php:586
filterwbkdata_property_field_validation_limitationincludes\wbkdata\includes\default_field_validation.php:608
filterwbkdata_property_field_validation_select_customincludes\wbkdata\includes\default_field_validation.php:620
filterwbkdata_type_to_sql_typeincludes\wbkdata\utils\class-wbkdata-custom-field.php:14
actionwbkdata_on_after_item_deletedincludes\wbkdata_extensions\class-wbk-model-relation-destroyer.php:17
actionwbkdata_on_after_item_deletedincludes\wbkdata_extensions\class-wbk-model-relation-handler.php:17
actionwbkdata_on_after_item_updatedincludes\wbkdata_extensions\class-wbk-model-relation-handler.php:18
actionwbkdata_on_after_item_addedincludes\wbkdata_extensions\class-wbk-model-relation-handler.php:19
actionwbkdata_on_after_item_addedincludes\wbkdata_extensions\wbkdata_hooks.php:6
actionwbkdata_on_before_item_deletedincludes\wbkdata_extensions\wbkdata_hooks.php:29
actionwbkdata_on_after_item_updatedincludes\wbkdata_extensions\wbkdata_hooks.php:57
filterwbkdata_field_can_viewincludes\wbkdata_extensions\wbkdata_hooks.php:75
filterwbkdata_field_can_updateincludes\wbkdata_extensions\wbkdata_hooks.php:93
filterwbkdata_field_can_addincludes\wbkdata_extensions\wbkdata_hooks.php:117
filterwbkdata_row_can_deleteincludes\wbkdata_extensions\wbkdata_hooks.php:123
actionwbkdata_before_tabletemplates\backend\dashboard.php:16
filterwbkdata_get_rows_conditionstemplates\backend\dashboard.php:149
actiontemplate_redirectwebba-booking-lite.php:104
actioninitwebba-booking-lite.php:162
actionwbk_daily_eventwebba-booking-lite.php:163
actionplugins_loadedwebba-booking-lite.php:164
actioninitwebba-booking-lite.php:165
filterwbkdata_stringswebba-booking-lite.php:166
actioninitwebba-booking-lite.php:172
actionadmin_noticeswebba-booking-lite.php:697
actioncurrent_screenwebba-booking-lite.php:839
filterpermission_listwebba-booking-lite.php:859

Scheduled Events 3

wbk_daily_event
wbk_daily_event
wbk_daily_event
Maintenance & Trust

Easy Appointment Booking & Scheduling System – Webba Booking Calendar Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 6, 2026
PHP min version7.4
Downloads320K

Community Trust

Rating98/100
Number of ratings149
Active installs3K
Alternatives

Easy Appointment Booking & Scheduling System – Webba Booking Calendar Alternatives

Online Scheduling and Appointment Booking System – Bookly

Online Scheduling and Appointment Booking System – Bookly

bookly-responsive-appointment-booking-tool

A
93

Appointment booking system for WordPress — schedule appointments, manage calendars, send reminders, take payments. Start booking today!

70K 8 CVEs
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

simply-schedule-appointments

A
88

Unlimited appointments, booking calendars, and notifications. Powerful appointment booking plugin and booking system. Start scheduling for free today!

60K 21 CVEs
Bookings for WooCommerce – Create Booking Calendar, Start Scheduling, Manage Bookings And Appointments

Bookings for WooCommerce – Create Booking Calendar, Start Scheduling, Manage Bookings And Appointments

mwb-bookings-for-woocommerce

A
100

This WordPress Booking Plugin lets you manage full-day bookings, service appointments, Accept/reject bookings, show booking availability & much more.

4K No CVEs
Advanced Appointment Booking & Scheduling

Advanced Appointment Booking & Scheduling

advanced-appointment-booking-scheduling

B
78

Advanced Appointment Booking & Scheduling: Effortlessly manage appointments with a simple, user-friendly scheduling system.

3K 1 unpatched
Timetics – Appointment Booking Calendar & Scheduling System

Timetics – Appointment Booking Calendar & Scheduling System

timetics

A
86

Appointment booking system for Professionals — schedule, manage calendars, accept payments, send reminders & automate bookings easily.

2K 8 CVEs
Developer Profile

Easy Appointment Booking & Scheduling System – Webba Booking Calendar Developer Profile

Webba Appointment Booking

1 plugin · 3K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
100 days
View full developer profile
Detection Fingerprints

How We Detect Easy Appointment Booking & Scheduling System – Webba Booking Calendar

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about Easy Appointment Booking & Scheduling System – Webba Booking Calendar