WP-Safety

WP Simple Booking Calendar Security & Risk Analysis

wordpress.org/plugins/wp-simple-booking-calendar

This booking calendar shows when something is booked or available. Use it to show when your holiday home is available for rent, for example.

20K active installs v2.0.15 PHP 5.6+ WP 4.7+ Updated Apr 8, 2025
availability-calendarbelegungsplanbooking-calendarbookingscalendar
95
A · Safe
CVEs total4
Unpatched0
Last CVEApr 16, 2025
Plugin page Download
Safety Verdict

Is WP Simple Booking Calendar Safe to Use in 2026?

Generally Safe

Score 95/100

WP Simple Booking Calendar has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Apr 16, 2025Updated 12mo ago
Risk Assessment

The "wp-simple-booking-calendar" v2.0.15 plugin exhibits a mixed security posture. While it demonstrates some good practices like a significant number of nonce checks and capability checks, there are notable areas of concern. The static analysis reveals a moderate attack surface with 10 total entry points, two of which lack authentication checks. This, coupled with a high percentage of unsanitized paths in taint analysis and one high-severity taint flow, indicates potential for vulnerabilities that could be exploited by unauthenticated users.

The vulnerability history paints a concerning picture, with four known CVEs, including one high-severity and three medium-severity vulnerabilities. The common vulnerability types (Missing Authorization, XSS, CSRF, SQL Injection) align with the weaknesses identified in the static analysis, particularly the unprotected AJAX handlers. The fact that the last vulnerability was recorded in April 2025 suggests a history of security flaws, even if none are currently unpatched. While the plugin's use of prepared statements for SQL queries is a strength, the overall pattern of past vulnerabilities and the current static analysis findings warrant caution.

In conclusion, the "wp-simple-booking-calendar" v2.0.15 plugin has several concerning security aspects, primarily related to unprotected entry points and a history of exploitable vulnerabilities. The significant number of properly escaped outputs and nonces are positive signs, but the presence of unprotected AJAX handlers and past security incidents suggest a need for diligent security monitoring and prompt updates. The strengths do not currently outweigh the identified risks.

Key Concerns

  • Unprotected AJAX handlers
  • High severity taint flow
  • High severity CVE in history
  • Medium severity CVEs in history (3)
  • Moderate output escaping (40%)
  • Flows with unsanitized paths (3)
Vulnerabilities
4

WP Simple Booking Calendar Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2023
2023
1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

CVE-2025-39541medium · 4.3Missing Authorization

WP Simple Booking Calendar <= 2.0.13 - Missing Authorization

Apr 16, 2025 Patched in 2.0.14 (6d)
CVE-2024-8663medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Simple Booking Calendar <= 2.0.10 - Reflected Cross-Site Scripting

Sep 12, 2024 Patched in 2.0.11 (1d)
CVE-2023-51525medium · 4.3Cross-Site Request Forgery (CSRF)

WP Simple Booking Calendar <= 2.0.8.4 - Cross-Site Request Forgery

Dec 27, 2023 Patched in 2.0.8.5 (27d)
CVE-2021-24726high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Simple Booking Calendar <= 2.0.6 - Authenticated SQL Injection

Aug 6, 2021 Patched in 2.0.7 (900d)
Code Analysis
Analyzed Mar 16, 2026

WP Simple Booking Calendar Code Analysis

Dangerous Functions
0
Raw SQL Queries
4
12 prepared
Unescaped Output
230
155 escaped
Nonce Checks
22
Capability Checks
4
File Operations
1
External Requests
4
Bundled Libraries
1

Bundled Libraries

jQuery

SQL Query Safety

75% prepared16 total queries

Output Escaping

40% escaped385 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

7 flows3 with unsanitized paths
search_box (includes\abstracts\abstract-class-list-table.php:342)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

WP Simple Booking Calendar Attack Surface

Entry Points10
Unprotected2

AJAX Handlers 8

authwp_ajax_wpsbc_refresh_calendar_editorincludes\base\admin\calendar\functions-actions-ajax-calendar.php:62
authwp_ajax_wpsbc_save_calendar_dataincludes\base\admin\calendar\functions-actions-ajax-calendar.php:251
noprivwp_ajax_wpsbc_refresh_calendarincludes\base\calendar\functions-ajax.php:39
authwp_ajax_wpsbc_refresh_calendarincludes\base\calendar\functions-ajax.php:40
authwp_ajax_wpsbc_action_ajax_migrate_calendarsincludes\modules\upgrader\functions-actions-ajax-upgrader.php:97
authwp_ajax_wpsbc_action_ajax_migrate_bookingsincludes\modules\upgrader\functions-actions-ajax-upgrader.php:217
authwp_ajax_wpsbc_action_ajax_migrate_general_settingsincludes\modules\upgrader\functions-actions-ajax-upgrader.php:243
authwp_ajax_wpsbc_action_ajax_migrate_finishing_upincludes\modules\upgrader\functions-actions-ajax-upgrader.php:264

Shortcodes 2

[wpsbc] includes\base\class-shortcodes.php:19
[sbc] includes\base\class-shortcodes.php:22
WordPress Hooks 77
actionadmin_footerincludes\abstracts\abstract-class-list-table.php:153
actionadmin_menuincludes\abstracts\abstract-class-submenu-page.php:114
actionadmin_initincludes\base\admin\backup\class-submenu-page-backup.php:15
actionwpsbc_action_backup_exportincludes\base\admin\backup\functions-actions-backup.php:53
actionwpsbc_action_backup_importincludes\base\admin\backup\functions-actions-backup.php:148
actionwpsbc_include_filesincludes\base\admin\backup\functions.php:25
filterwpsbc_register_submenu_pageincludes\base\admin\backup\functions.php:50
actionadmin_initincludes\base\admin\calendar\class-submenu-page-calendar.php:18
actionwpsbc_action_add_calendarincludes\base\admin\calendar\functions-actions-calendar.php:131
actionwpsbc_action_trash_calendarincludes\base\admin\calendar\functions-actions-calendar.php:166
actionwpsbc_action_restore_calendarincludes\base\admin\calendar\functions-actions-calendar.php:201
actionwpsbc_action_delete_calendarincludes\base\admin\calendar\functions-actions-calendar.php:301
actionwpsbc_action_add_legend_itemincludes\base\admin\calendar\functions-actions-legend-item.php:108
actionwpsbc_action_edit_legend_itemincludes\base\admin\calendar\functions-actions-legend-item.php:199
actionwpsbc_action_delete_legend_itemincludes\base\admin\calendar\functions-actions-legend-item.php:267
actionwpsbc_action_make_default_legend_itemincludes\base\admin\calendar\functions-actions-legend-item.php:322
actionwpsbc_action_make_visible_legend_itemincludes\base\admin\calendar\functions-actions-legend-item.php:359
actionwpsbc_action_make_invisible_legend_itemincludes\base\admin\calendar\functions-actions-legend-item.php:396
actionmedia_buttonsincludes\base\admin\calendar\functions-shortcode-generator.php:36
actionadmin_footerincludes\base\admin\calendar\functions-shortcode-generator.php:69
actionwpsbc_include_filesincludes\base\admin\calendar\functions.php:48
filterwpsbc_register_submenu_pageincludes\base\admin\calendar\functions.php:73
actionadmin_initincludes\base\admin\class-admin-notices.php:46
actionadmin_noticesincludes\base\admin\class-admin-notices.php:47
actionwpsbc_include_filesincludes\base\admin\functions.php:21
actionadmin_initincludes\base\admin\functions.php:44
actionadmin_initincludes\base\admin\settings\class-submenu-page-settings.php:15
actionadmin_initincludes\base\admin\settings\class-submenu-page-settings.php:16
actionwpsbc_include_filesincludes\base\admin\settings\functions.php:21
filterwpsbc_register_submenu_pageincludes\base\admin\settings\functions.php:46
actionplugins_loadedincludes\base\calendar\class-object-meta-db-calendars.php:24
actionwpsbc_include_filesincludes\base\calendar\functions.php:44
filterwpsbc_register_database_classesincludes\base\calendar\functions.php:63
actionwidgets_initincludes\base\class-widget-calendar.php:350
actionplugins_loadedincludes\base\event\class-object-meta-db-events.php:24
actionwpsbc_include_filesincludes\base\event\functions.php:28
filterwpsbc_register_database_classesincludes\base\event\functions.php:47
actionwpsbc_include_filesincludes\base\functions.php:44
actionplugins_loadedincludes\base\legend\class-object-meta-db-legend-items.php:24
actionwpsbc_include_filesincludes\base\legend\functions.php:28
filterwpsbc_register_database_classesincludes\base\legend\functions.php:47
filterwpsbc_get_legend_itemsincludes\base\legend\functions.php:387
filterblock_categories_allincludes\modules\blocks\functions.php:23
actionadmin_enqueue_scriptsincludes\modules\blocks\functions.php:104
actioninitincludes\modules\blocks\single-calendar\functions.php:58
actionelementor/elements/categories_registeredincludes\modules\elementor\functions.php:20
actionelementor/widgets/registerincludes\modules\elementor\functions.php:33
filterwpsbc_submenu_page_settings_tabsincludes\modules\uninstaller\functions.php:22
actionwpsbc_submenu_page_settings_tab_uninstallerincludes\modules\uninstaller\functions.php:34
actionwpsbc_action_uninstall_pluginincludes\modules\uninstaller\functions.php:80
filterplugins_apiincludes\modules\update-checker\class-update-checker.php:58
filtersite_transient_update_pluginsincludes\modules\update-checker\class-update-checker.php:61
filtertransient_update_pluginsincludes\modules\update-checker\class-update-checker.php:62
filtercron_schedulesincludes\modules\update-checker\class-update-checker.php:69
actionwpsbc_action_register_websiteincludes\modules\update-checker\functions-actions-update-checker.php:82
actionwpsbc_action_deregister_websiteincludes\modules\update-checker\functions-actions-update-checker.php:123
actionwpsbc_action_check_for_updatesincludes\modules\update-checker\functions-actions-update-checker.php:143
actionadmin_initincludes\modules\update-checker\functions-actions-update-checker.php:176
actionwpsbc_include_filesincludes\modules\update-checker\functions.php:25
actionplugins_loadedincludes\modules\update-checker\functions.php:49
filterwpsbc_submenu_page_settings_tabsincludes\modules\update-checker\functions.php:67
actionwpsbc_submenu_page_settings_tab_register_websiteincludes\modules\update-checker\functions.php:79
actionadmin_initincludes\modules\update-checker\functions.php:125
actionwpsbc_action_skip_upgrade_processincludes\modules\upgrader\functions-actions-upgrader.php:25
actionwpsbc_include_filesincludes\modules\upgrader\functions.php:29
filterwpsbc_register_submenu_pageincludes\modules\upgrader\functions.php:67
actionplugins_loadedwp-simple-booking-calendar.php:87
actionplugins_loadedwp-simple-booking-calendar.php:90
actionwpsbc_update_checkwp-simple-booking-calendar.php:93
actionadmin_menuwp-simple-booking-calendar.php:96
actionadmin_menuwp-simple-booking-calendar.php:97
actionwp_loadedwp-simple-booking-calendar.php:100
actionadmin_enqueue_scriptswp-simple-booking-calendar.php:103
actionwp_enqueue_scriptswp-simple-booking-calendar.php:106
filterremovable_query_argswp-simple-booking-calendar.php:109
filteradmin_body_classwp-simple-booking-calendar.php:112
filteradmin_footer_textwp-simple-booking-calendar.php:115
Maintenance & Trust

WP Simple Booking Calendar Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedApr 8, 2025
PHP min version5.6
Downloads478K

Community Trust

Rating96/100
Number of ratings226
Active installs20K
Alternatives

WP Simple Booking Calendar Alternatives

Bookingmood

Bookingmood

bookingmood

A
100

Bookingmood booking calendar plugin for Wordpress. Show availability and receive bookings on your website.

50 No CVEs
Booking Calendar

Booking Calendar

booking

B
82

Original "Booking Calendar" plugin. Easily manage full-day bookings, time-slot appointments, or events in our all-in-one, outstanding booking system.

50K 28 CVEs
WP Booking System – Booking Calendar

WP Booking System – Booking Calendar

wp-booking-system

A
89

The booking calendar plugin for WordPress. Get easy online booking with this lightweight and powerful booking calendar.

20K 7 CVEs
Pinpoint Booking System – Version 2

Pinpoint Booking System – Version 2

booking-system

A
93

Book anything, anytime, anywhere.

3K 13 CVEs
Booking Ultra Pro Appointments Booking Calendar Plugin

Booking Ultra Pro Appointments Booking Calendar Plugin

booking-ultra-pro

C
50

Powerful Booking Plugin with amazing dashboard to manage all of your appointments & bookings online.

500 1 unpatched
Developer Profile

WP Simple Booking Calendar Developer Profile

Roland Murg

3 plugins · 42K total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
327 days
View full developer profile
Detection Fingerprints

How We Detect WP Simple Booking Calendar

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-simple-booking-calendar/assets/css/frontend/booking.css/wp-content/plugins/wp-simple-booking-calendar/assets/css/frontend/datetime.css/wp-content/plugins/wp-simple-booking-calendar/assets/css/frontend/general.css/wp-content/plugins/wp-simple-booking-calendar/assets/css/frontend/messages.css/wp-content/plugins/wp-simple-booking-calendar/assets/css/frontend/style.css/wp-content/plugins/wp-simple-booking-calendar/assets/css/frontend/variables.css/wp-content/plugins/wp-simple-booking-calendar/assets/js/frontend/booking.js/wp-content/plugins/wp-simple-booking-calendar/assets/js/frontend/datetime.js+19 more
Script Paths
/wp-content/plugins/wp-simple-booking-calendar/assets/js/frontend/booking.js/wp-content/plugins/wp-simple-booking-calendar/assets/js/frontend/datetime.js/wp-content/plugins/wp-simple-booking-calendar/assets/js/frontend/general.js/wp-content/plugins/wp-simple-booking-calendar/assets/js/frontend/messages.js/wp-content/plugins/wp-simple-booking-calendar/assets/js/frontend/tooltip.js/wp-content/plugins/wp-simple-booking-calendar/assets/js/frontend/variables.js+12 more
Version Parameters
/wp-content/plugins/wp-simple-booking-calendar/assets/css/frontend/booking.css?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/css/frontend/datetime.css?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/css/frontend/general.css?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/css/frontend/messages.css?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/css/frontend/style.css?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/css/frontend/variables.css?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/js/frontend/booking.js?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/js/frontend/datetime.js?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/js/frontend/general.js?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/js/frontend/messages.js?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/js/frontend/tooltip.js?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/js/frontend/variables.js?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/js/admin/booking.js?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/js/admin/calendar.js?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/js/admin/categories.js?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/js/admin/general.js?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/js/admin/messages.js?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/js/admin/settings.js?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/js/admin/settings/general.js?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/js/admin/settings/labels.js?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/js/admin/settings/messages.js?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/js/admin/settings/permissions.js?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/js/admin/settings/styling.js?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/js/admin/tooltip.js?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/css/admin/general.css?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/css/admin/style.css?ver=/wp-content/plugins/wp-simple-booking-calendar/assets/css/admin/variables.css?ver=

HTML / DOM Fingerprints

CSS Classes
wpsbc-booking-formwpsbc-calendarwpsbc-booking-calendarwpsbc-settings-generalwpsbc-settings-labelswpsbc-settings-messageswpsbc-settings-permissionswpsbc-settings-styling+16 more
HTML Comments
WP Simple Booking CalendarWP Simple Booking Calendar SettingsWP Simple Booking Calendar CategoriesWP Simple Booking Calendar Calendar+5 more
Data Attributes
data-wpsbc-iddata-wpsbc-calendar-iddata-wpsbc-datedata-wpsbc-availabledata-wpsbc-bookeddata-wpsbc-min-date+3 more
JS Globals
wpsbc_vars
Shortcode Output
[booking-calendar][booking_calendar][simple_booking_calendar][wpsbc-calendar]
FAQ

Frequently Asked Questions about WP Simple Booking Calendar