Does WP Booking have any unpatched vulnerabilities?

No. All known vulnerabilities in WP Booking have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP Booking compatible with WordPress 6.7.5?

According to WordPress.org data, WP Booking 2.4.6 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

How often is WP Booking updated?

WP Booking was last updated on Feb 11, 2025. Frequent updates are generally a positive security signal.

What is WP Booking's security score?

WP Booking has a WP-Safety security score of 91/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Booking Security & Risk Analysis

wordpress.org/plugins/wp-easy-booking

This is a booking plugin with very easy to use admin panel. Create schedules and let users register for that.

10 active installs v2.4.6 PHP + WP 2.0.3+ Updated Feb 11, 2025

appointmentbookingcalendareventschedule

A · Safe

CVEs total1

Unpatched0

Last CVEMay 24, 2024

Plugin page Download

Safety Verdict

Is WP Booking Safe to Use in 2026?

Generally Safe

Score 91/100

WP Booking has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: May 24, 2024Updated 1yr ago

Risk Assessment

The "wp-easy-booking" v2.4.6 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by exclusively using prepared statements for all its SQL queries and having no file operations or external HTTP requests, which are significant security strengths. It also includes some nonce and capability checks. However, there are notable concerns. The static analysis reveals that a significant portion (51%) of output is not properly escaped, posing a risk of Cross-Site Scripting (XSS) vulnerabilities. Furthermore, the taint analysis indicates 4 high-severity flows with unsanitized paths, which could be exploited to compromise the system if these paths are reachable by untrusted input. The plugin has a history of known vulnerabilities, including a medium-severity XSS vulnerability discovered very recently, suggesting a pattern of input sanitization issues that require ongoing vigilance. While the current version has no unpatched CVEs, the recent history and the findings in the taint analysis point to potential risks that need to be addressed by users.

Key Concerns

High-severity taint flows with unsanitized paths
Significant portion of output not properly escaped
Recent medium severity vulnerability history
Limited nonce and capability checks

Vulnerabilities

WP Booking Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2024-35297medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Booking <= 2.4.4 - Authenticated Stored Cross-Site Scripting

May 24, 2024 Patched in 2.4.5 (14d)

Code Analysis

Analyzed Mar 17, 2026

WP Booking Code Analysis

Dangerous Functions

Raw SQL Queries

28 prepared

Unescaped Output

91 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared28 total queries

Output Escaping

49% escaped186 total outputs

Data Flows

5 unsanitized

Data Flow Analysis

9 flows5 with unsanitized paths

booking_front_user_data (includes\class-processing.php:140)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WP Booking Attack Surface

Entry Points4

Unprotected0

Shortcodes 4

[schd_calendar] shortcodes.php:16

[schd_booking_form] shortcodes.php:34

[schd_booking_locations] shortcodes.php:70

[schd_booking_orders] shortcodes.php:89

WordPress Hooks 12

actionplugins_loadedbooking.php:105

actiontemplate_redirectbooking.php:106

actioninitincludes\class-booking-address.php:5

actionadd_meta_boxes_booking_addressincludes\class-booking-address.php:6

actionsave_postincludes\class-booking-address.php:7

actioninitincludes\class-booking-address.php:8

filterwp_mail_content_typeincludes\class-general.php:195

actioninitincludes\class-processing.php:6

actionadmin_initincludes\class-processing.php:7

actionwp_enqueue_scriptsincludes\class-scripts.php:5

actionadmin_enqueue_scriptsincludes\class-scripts.php:6

actionadmin_menuincludes\class-settings.php:6

Maintenance & Trust

WP Booking Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedFeb 11, 2025

PHP min version

Downloads10K

Community Trust

Rating100/100

Number of ratings1

Active installs10

Alternatives

WP Booking Alternatives

LatePoint – Calendar Booking Plugin for Appointments and Events

latepoint

Optimize your appointment scheduling with our plugin. Sync calendars, automate reminders, and keep your bookings organized.

100K 2 unpatched

Events Manager – Calendar, Bookings, Tickets, and more!

events-manager

Events calendar with bookings, scheduling, appointments, event registration, tickets, recurring events, and venue management.

70K 34 CVEs

Booking Calendar

booking

Original "Booking Calendar" plugin. Easily manage full-day bookings, time-slot appointments, or events in our all-in-one, outstanding booking system.

50K 28 CVEs

Appointment Hour Booking – Booking Calendar

appointment-hour-booking

Appointment Hour Booking is a plugin for creating booking forms for appointments with a start time and a defined duration within a schedule.

10K 11 CVEs

MotoPress Appointment Booking

motopress-appointment-lite

100

MotoPress Appointment Booking makes it easy for time and service-based businesses to accept bookings and appointments online.

2K No CVEs

Developer Profile

WP Booking Developer Profile

aviplugins.com

9 plugins · 8K total installs

trust score

Avg Security Score

76/100

Avg Patch Time

617 days

View full developer profile

Detection Fingerprints

How We Detect WP Booking

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-easy-booking/css/booking_front_styles.css/wp-content/plugins/wp-easy-booking/css/booking_admin_style.css/wp-content/plugins/wp-easy-booking/js/wp-booking.js/wp-content/plugins/wp-easy-booking/js/jquery.validate.min.js/wp-content/plugins/wp-easy-booking/js/additional-methods.js/wp-content/plugins/wp-easy-booking/js/ap.cookie.js/wp-content/plugins/wp-easy-booking/js/ap-tabs.js/wp-content/plugins/wp-easy-booking/assets/jquery-ui.css

Script Paths

/wp-content/plugins/wp-easy-booking/js/wp-booking.js/wp-content/plugins/wp-easy-booking/js/jquery.validate.min.js/wp-content/plugins/wp-easy-booking/js/additional-methods.js/wp-content/plugins/wp-easy-booking/js/ap.cookie.js/wp-content/plugins/wp-easy-booking/js/ap-tabs.js

Version Parameters

wp-easy-booking/js/wp-booking.js?ver=wp-easy-booking/assets/jquery-ui.css?ver=wp-easy-booking/css/booking_front_styles.css?ver=wp-easy-booking/js/jquery.validate.min.js?ver=wp-easy-booking/js/additional-methods.js?ver=wp-easy-booking/css/booking_admin_style.css?ver=wp-easy-booking/js/ap.cookie.js?ver=wp-easy-booking/js/ap-tabs.js?ver=

HTML / DOM Fingerprints

CSS Classes

booking_calendarbooking_formbooking-locations-listbooking-location-item

HTML Comments

Data Attributes

data-post-id

JS Globals

wp_booking_ajax_object

Shortcode Output

[schd_calendar][schd_booking_form][schd_booking_locations][schd_booking_orders]

FAQ