WP-Safety

WP Booking System – Booking Calendar Security & Risk Analysis

wordpress.org/plugins/wp-booking-system

The booking calendar plugin for WordPress. Get easy online booking with this lightweight and powerful booking calendar.

20K active installs v2.0.19.13 PHP 5.6+ WP 4.7+ Updated Apr 15, 2026
availability-calendarbooking-calendarbooking-systemicalendarreservation-calendar
89
A · Safe
CVEs total7
Unpatched0
Last CVEMar 4, 2026
Plugin page Download
Safety Verdict

Is WP Booking System – Booking Calendar Safe to Use in 2026?

Generally Safe

Score 89/100

WP Booking System – Booking Calendar has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

7 known CVEsLast CVE: Mar 4, 2026Updated 1mo ago
Risk Assessment

The wp-booking-system plugin v2.0.19.13 presents a mixed security posture. While it demonstrates some good practices like a significant number of nonce and capability checks, and a majority of SQL queries utilizing prepared statements, there are notable areas of concern. The static analysis reveals an attack surface of 15 entry points, with 3 AJAX handlers lacking proper authentication checks. This is a significant risk, as these handlers could be exploited by unauthenticated users.

Furthermore, the taint analysis highlights one high-severity flow with unsanitized paths, indicating potential for vulnerabilities if user input is not properly handled. The plugin's vulnerability history, with 7 known CVEs including one critical and six medium severity, and a recent one in 2026, suggests a recurring pattern of security weaknesses. The common types of vulnerabilities (Exposure of Sensitive Information, XSS, Missing Authorization, CSRF) reinforce the need for careful review and remediation of identified issues. The fact that there are currently no unpatched CVEs is a positive sign, but the history points to a plugin that has historically been susceptible to various attack vectors.

In conclusion, while the plugin has implemented some security measures, the presence of unprotected entry points, a high-severity taint flow, and a history of significant vulnerabilities necessitate caution. Developers should prioritize addressing the unauthenticated AJAX handlers and the identified taint flow. Ongoing vigilance and regular security audits are recommended for this plugin.

Key Concerns

  • Unprotected AJAX handlers
  • High severity taint flow
  • Output escaping only 40% proper
  • SQL queries only 57% prepared
  • One critical CVE in history
  • Six medium CVEs in history
Vulnerabilities
7 published

WP Booking System – Booking Calendar Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
1 CVE in 2021
2021
2 CVEs in 2023
2023
2 CVEs in 2024
2024
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
6

7 total CVEs

CVE-2025-68515medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

WP Booking System – Booking Calendar <= 2.0.19.12 - Unauthenticated Information Exposure

Mar 4, 2026 Patched in 2.0.19.13 (9d)
CVE-2024-50425medium · 4.3Missing Authorization

WP Booking System <= 2.0.19.10 - Missing Authorization via wpbs_refresh_calendar_editor

Oct 24, 2024 Patched in 2.0.19.11 (7d)
CVE-2024-8797medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Booking System – Booking Calendar <= 2.0.19.8 - Reflected Cross-Site Scripting

Sep 13, 2024 Patched in 2.0.19.9 (1d)
CVE-2023-49758medium · 4.3Missing Authorization

WP Booking System <= 2.0.19.2 - Missing Authorization

Dec 4, 2023 Patched in 2.0.19.3 (50d)
CVE-2023-24402medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Booking System <= 2.0.18 - Authenticated (Admin+) Stored Cross Site Scripting

Feb 2, 2023 Patched in 2.0.18.1 (355d)
CVE-2021-25061medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Booking System – Booking Calendar <= 2.0.14 - Reflected Cross-Site Scripting

Dec 10, 2021 Patched in 2.0.15 (774d)
CVE-2019-12239critical · 9.8Cross-Site Request Forgery (CSRF)

WP Booking System Free version < 1.5.2 - Cross-Site Request Forgery

May 22, 2019 Patched in 1.5.2 (1707d)
Version History

WP Booking System – Booking Calendar Release Timeline

v2.0.19.13Current
v2.0.19.121 CVE
CVE-2025-68515
v2.0.19.111 CVE
CVE-2025-68515
v2.0.19.102 CVEs
CVE-2025-68515 CVE-2024-50425
v2.0.19.92 CVEs
CVE-2025-68515 CVE-2024-50425
v2.0.19.83 CVEs
CVE-2025-68515 CVE-2024-8797 CVE-2024-50425
v2.0.06 CVEs
CVE-2025-68515 CVE-2024-8797 CVE-2023-24402 +3 more
v1.5.46 CVEs
CVE-2025-68515 CVE-2024-8797 CVE-2023-24402 +3 more
v1.5.26 CVEs
CVE-2025-68515 CVE-2024-8797 CVE-2023-24402 +3 more
v1.57 CVEs
CVE-2025-68515 CVE-2024-8797 CVE-2023-24402 +4 more
v1.4.17 CVEs
CVE-2025-68515 CVE-2024-8797 CVE-2023-24402 +4 more
v1.47 CVEs
CVE-2025-68515 CVE-2024-8797 CVE-2023-24402 +4 more
v1.3.37 CVEs
CVE-2025-68515 CVE-2024-8797 CVE-2023-24402 +4 more
v1.3.27 CVEs
CVE-2025-68515 CVE-2024-8797 CVE-2023-24402 +4 more
v1.3.17 CVEs
CVE-2025-68515 CVE-2024-8797 CVE-2023-24402 +4 more
v1.37 CVEs
CVE-2025-68515 CVE-2024-8797 CVE-2023-24402 +4 more
v1.2.37 CVEs
CVE-2025-68515 CVE-2024-8797 CVE-2023-24402 +4 more
v1.2.27 CVEs
CVE-2025-68515 CVE-2024-8797 CVE-2023-24402 +4 more
v1.2.17 CVEs
CVE-2025-68515 CVE-2024-8797 CVE-2023-24402 +4 more
v1.27 CVEs
CVE-2025-68515 CVE-2024-8797 CVE-2023-24402 +4 more
Code Analysis
Analyzed Mar 16, 2026

WP Booking System – Booking Calendar Code Analysis

Dangerous Functions
0
Raw SQL Queries
13
17 prepared
Unescaped Output
349
231 escaped
Nonce Checks
26
Capability Checks
6
File Operations
1
External Requests
7
Bundled Libraries
1

Bundled Libraries

jQuery

SQL Query Safety

57% prepared30 total queries

Output Escaping

40% escaped580 total outputs
Data Flows · Security
6 unsanitized

Data Flow Analysis

12 flows6 with unsanitized paths
search_box (includes\abstracts\abstract-class-list-table.php:341)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

WP Booking System – Booking Calendar Attack Surface

Entry Points15
Unprotected3

AJAX Handlers 14

authwp_ajax_wpbs_open_booking_detailsincludes\base\admin\booking\functions-ajax.php:42
authwp_ajax_wpbs_booking_email_customerincludes\base\admin\booking\functions-ajax.php:73
authwp_ajax_wpbs_refresh_calendar_editorincludes\base\admin\calendar\functions-actions-ajax-calendar.php:65
authwp_ajax_wpbs_save_calendar_dataincludes\base\admin\calendar\functions-actions-ajax-calendar.php:255
noprivwp_ajax_wpbs_refresh_calendarincludes\base\calendar\functions-ajax.php:38
authwp_ajax_wpbs_refresh_calendarincludes\base\calendar\functions-ajax.php:39
noprivwp_ajax_wpbs_submit_formincludes\base\form\functions-ajax.php:136
authwp_ajax_wpbs_submit_formincludes\base\form\functions-ajax.php:137
authwp_ajax_wpbs_action_ajax_migrate_calendarsincludes\modules\upgrader\functions-actions-ajax-upgrader.php:266
authwp_ajax_wpbs_action_ajax_migrate_formsincludes\modules\upgrader\functions-actions-ajax-upgrader.php:434
authwp_ajax_wpbs_action_ajax_migrate_bookingsincludes\modules\upgrader\functions-actions-ajax-upgrader.php:548
authwp_ajax_wpbs_action_ajax_migrate_eventsincludes\modules\upgrader\functions-actions-ajax-upgrader.php:682
authwp_ajax_wpbs_action_ajax_migrate_general_settingsincludes\modules\upgrader\functions-actions-ajax-upgrader.php:780
authwp_ajax_wpbs_action_ajax_migrate_finishing_upincludes\modules\upgrader\functions-actions-ajax-upgrader.php:801

Shortcodes 1

[wpbs] includes\base\class-shortcodes.php:19
WordPress Hooks 97
actionadmin_footerincludes\abstracts\abstract-class-list-table.php:152
actionadmin_menuincludes\abstracts\abstract-class-submenu-page.php:114
actionadmin_initincludes\base\admin\backup\class-submenu-page-backup.php:15
actionwpbs_action_backup_exportincludes\base\admin\backup\functions-actions-backup.php:53
actionwpbs_action_backup_importincludes\base\admin\backup\functions-actions-backup.php:148
actionwpbs_include_filesincludes\base\admin\backup\functions.php:25
filterwpbs_register_submenu_pageincludes\base\admin\backup\functions.php:50
actionwpbs_save_calendar_dataincludes\base\admin\booking\functions-actions-booking.php:77
actionwpbs_action_permanently_delete_bookingincludes\base\admin\booking\functions-actions-booking.php:117
actionwpbs_include_filesincludes\base\admin\booking\functions.php:44
filteradmin_menuincludes\base\admin\booking\functions.php:80
actionwp_before_admin_bar_renderincludes\base\admin\booking\functions.php:126
actionwp_headincludes\base\admin\booking\functions.php:152
actionadmin_initincludes\base\admin\calendar\class-submenu-page-calendar.php:18
actionwpbs_action_add_calendarincludes\base\admin\calendar\functions-actions-calendar.php:80
actionwpbs_action_trash_calendarincludes\base\admin\calendar\functions-actions-calendar.php:112
actionwpbs_action_restore_calendarincludes\base\admin\calendar\functions-actions-calendar.php:144
actionwpbs_action_delete_calendarincludes\base\admin\calendar\functions-actions-calendar.php:282
actionmedia_buttonsincludes\base\admin\calendar\functions-shortcode-generator.php:43
actionadmin_footerincludes\base\admin\calendar\functions-shortcode-generator.php:92
actionwpbs_include_filesincludes\base\admin\calendar\functions.php:38
filterwpbs_register_submenu_pageincludes\base\admin\calendar\functions.php:63
actionadmin_initincludes\base\admin\class-admin-notices.php:46
actionadmin_noticesincludes\base\admin\class-admin-notices.php:47
actionadmin_initincludes\base\admin\form\class-submenu-page-form.php:18
actionwpbs_action_add_formincludes\base\admin\form\functions-actions-form.php:61
actionwpbs_action_edit_formincludes\base\admin\form\functions-actions-form.php:194
actionwpbs_action_trash_formincludes\base\admin\form\functions-actions-form.php:229
actionwpbs_action_restore_formincludes\base\admin\form\functions-actions-form.php:264
actionwpbs_action_delete_formincludes\base\admin\form\functions-actions-form.php:304
actionwpbs_include_filesincludes\base\admin\form\functions.php:34
filterwpbs_register_submenu_pageincludes\base\admin\form\functions.php:60
filterwpbs_form_available_field_typesincludes\base\admin\form\functions.php:227
filterteeny_mce_before_initincludes\base\admin\form\functions.php:329
filterteeny_mce_pluginsincludes\base\admin\form\functions.php:336
actioncurrent_screenincludes\base\admin\form\functions.php:341
actionwpbs_include_filesincludes\base\admin\functions.php:21
actionadmin_initincludes\base\admin\functions.php:44
actionadmin_initincludes\base\admin\settings\class-submenu-page-settings.php:15
actionadmin_initincludes\base\admin\settings\class-submenu-page-settings.php:16
actionwpbs_include_filesincludes\base\admin\settings\functions.php:21
filterwpbs_register_submenu_pageincludes\base\admin\settings\functions.php:46
actionplugins_loadedincludes\base\booking\class-object-meta-db-bookings.php:24
actionwpbs_include_filesincludes\base\booking\functions.php:33
filterwpbs_register_database_classesincludes\base\booking\functions.php:52
actionplugins_loadedincludes\base\calendar\class-object-meta-db-calendars.php:24
actionwpbs_include_filesincludes\base\calendar\functions.php:44
filterwpbs_register_database_classesincludes\base\calendar\functions.php:63
actionwidgets_initincludes\base\class-widget-calendar.php:376
actionplugins_loadedincludes\base\event\class-object-meta-db-events.php:24
actionwpbs_include_filesincludes\base\event\functions.php:28
filterwpbs_register_database_classesincludes\base\event\functions.php:47
actionplugins_loadedincludes\base\form\class-object-meta-db-forms.php:24
actionwpbs_include_filesincludes\base\form\functions.php:53
filterwpbs_register_database_classesincludes\base\form\functions.php:72
actionwpbs_include_filesincludes\base\functions.php:49
actionplugins_loadedincludes\base\legend\class-object-meta-db-legend-items.php:24
actionwpbs_include_filesincludes\base\legend\functions.php:33
filterwpbs_register_database_classesincludes\base\legend\functions.php:52
filterwpbs_get_legend_itemsincludes\base\legend\functions.php:378
filterblock_categories_allincludes\modules\blocks\functions.php:23
actionadmin_enqueue_scriptsincludes\modules\blocks\functions.php:112
actioninitincludes\modules\blocks\single-calendar\functions.php:52
actionelementor/elements/categories_registeredincludes\modules\elementor\functions.php:20
actionelementor/widgets/registerincludes\modules\elementor\functions.php:33
filterwpbs_submenu_page_settings_tabsincludes\modules\uninstaller\functions.php:22
actionwpbs_submenu_page_settings_tab_uninstallerincludes\modules\uninstaller\functions.php:34
actionwpbs_action_uninstall_pluginincludes\modules\uninstaller\functions.php:80
filterplugins_apiincludes\modules\update-checker\class-update-checker.php:58
filtersite_transient_update_pluginsincludes\modules\update-checker\class-update-checker.php:61
filtertransient_update_pluginsincludes\modules\update-checker\class-update-checker.php:62
filtercron_schedulesincludes\modules\update-checker\class-update-checker.php:69
actionwpbs_action_register_websiteincludes\modules\update-checker\functions-actions-update-checker.php:80
actionwpbs_action_deregister_websiteincludes\modules\update-checker\functions-actions-update-checker.php:121
actionwpbs_action_check_for_updatesincludes\modules\update-checker\functions-actions-update-checker.php:146
actionadmin_initincludes\modules\update-checker\functions-actions-update-checker.php:179
actionadmin_initincludes\modules\update-checker\functions-actions-update-checker.php:211
actionwpbs_include_filesincludes\modules\update-checker\functions.php:25
actionplugins_loadedincludes\modules\update-checker\functions.php:49
filterwpbs_submenu_page_settings_tabsincludes\modules\update-checker\functions.php:67
actionwpbs_submenu_page_settings_tab_register_websiteincludes\modules\update-checker\functions.php:79
actionadmin_initincludes\modules\update-checker\functions.php:125
actionadmin_noticesincludes\modules\update-checker\functions.php:160
actionwpbs_action_skip_upgrade_processincludes\modules\upgrader\functions-actions-upgrader.php:25
actionwpbs_include_filesincludes\modules\upgrader\functions.php:29
filterwpbs_register_submenu_pageincludes\modules\upgrader\functions.php:67
actionplugins_loadedwp-booking-system.php:76
actionplugins_loadedwp-booking-system.php:79
actionwpbs_update_checkwp-booking-system.php:82
actionadmin_menuwp-booking-system.php:85
actionadmin_menuwp-booking-system.php:86
actionwp_loadedwp-booking-system.php:89
actionadmin_enqueue_scriptswp-booking-system.php:92
actionwp_enqueue_scriptswp-booking-system.php:95
filterremovable_query_argswp-booking-system.php:98
filteradmin_body_classwp-booking-system.php:101
filteradmin_footer_textwp-booking-system.php:104
Maintenance & Trust

WP Booking System – Booking Calendar Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 15, 2026
PHP min version5.6
Downloads342K

Community Trust

Rating98/100
Number of ratings336
Active installs20K
Alternatives

WP Booking System – Booking Calendar Alternatives

Appointmind

Appointmind

appointmind

A
98

Include your Appointmind or Schedule Organizer online appointment scheduling calender in any article or in the sidebar.

100 2 CVEs
Booking calendar, Appointment Booking System

Booking calendar, Appointment Booking System

booking-calendar

C
50

Booking calendar plugin is an awesome tool for creating appointment booking calendars and Scheduling systems in a few minutes.

4K 1 unpatched
Pinpoint Booking System – Version 2

Pinpoint Booking System – Version 2

booking-system

C
60

Book anything, anytime, anywhere.

3K 1 unpatched
MotoPress Booking Calendar

MotoPress Booking Calendar

motopress-booking-calendar-lite

A
100

WordPress booking calendar plugin for daily, nightly, and hourly rentals.

100 No CVEs
Doctor Appointment Booking Plugin – EMSB

Doctor Appointment Booking Plugin – EMSB

emsb-service-booking

A
85

Allow your customers to book your service like appointment, event, reservation, etc. Manage your bookings through wp admin dashboard.

80 No CVEs
Developer Profile

WP Booking System – Booking Calendar Developer Profile

Roland Murg

3 plugins · 32K total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
327 days
View full developer profile
Detection Fingerprints

How We Detect WP Booking System – Booking Calendar

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-booking-system/assets/css/admin/main.css/wp-content/plugins/wp-booking-system/assets/css/frontend/calendar.css/wp-content/plugins/wp-booking-system/assets/css/frontend/main.css/wp-content/plugins/wp-booking-system/assets/css/frontend/tooltip.css/wp-content/plugins/wp-booking-system/assets/js/admin/main.js/wp-content/plugins/wp-booking-system/assets/js/frontend/calendar.js/wp-content/plugins/wp-booking-system/assets/js/frontend/main.js/wp-content/plugins/wp-booking-system/assets/js/frontend/tooltip.js+1 more
Script Paths
/wp-content/plugins/wp-booking-system/assets/js/admin/main.js/wp-content/plugins/wp-booking-system/assets/js/frontend/main.js/wp-content/plugins/wp-booking-system/assets/js/frontend/calendar.js/wp-content/plugins/wp-booking-system/assets/js/frontend/tooltip.js/wp-content/plugins/wp-booking-system/assets/js/shared/dependencies.js
Version Parameters
wp-booking-system/assets/css/admin/main.css?ver=wp-booking-system/assets/css/frontend/calendar.css?ver=wp-booking-system/assets/css/frontend/main.css?ver=wp-booking-system/assets/css/frontend/tooltip.css?ver=wp-booking-system/assets/js/admin/main.js?ver=wp-booking-system/assets/js/frontend/calendar.js?ver=wp-booking-system/assets/js/frontend/main.js?ver=wp-booking-system/assets/js/frontend/tooltip.js?ver=wp-booking-system/assets/js/shared/dependencies.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpbs-booking-formwpbs-calendarwpbs-availability
HTML Comments
<!-- WP Booking System by Veribo, Roland Murg --><!-- WP Booking System by Veribo, Roland Murg -->
Data Attributes
data-wpbs-form-iddata-wpbs-calendar-id
JS Globals
WPBS_JS
FAQ

Frequently Asked Questions about WP Booking System – Booking Calendar