Does WPBookit have any unpatched vulnerabilities?

Yes — WPBookit currently has 2 published unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is WPBookit compatible with WordPress 6.9.4?

According to WordPress.org data, WPBookit 1.0.9 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is WPBookit compatible with PHP 8.0+?

WPBookit requires PHP 8.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WPBookit updated?

WPBookit was last updated on Feb 23, 2026. Frequent updates are generally a positive security signal.

What is WPBookit's security score?

WPBookit has a WP-Safety security score of 20/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WPBookit Security & Risk Analysis

wordpress.org/plugins/wpbookit

WPBookit is a free WordPress booking plugin that simplifies seamless scheduling, custom calendars and global accessibility.

10 active installs v1.0.9 PHP 8.0+ WP 3.0.1+ Updated Feb 23, 2026

free-appointment-booking-wordpress-pluginfree-booking-system-wordpressfree-reservation-pluginfree-wordpress-reservation-plugin

F · Critical Risk

CVEs total14

Unpatched2

Last CVEMar 3, 2026

Plugin page Download

Safety Verdict

Is WPBookit Safe to Use in 2026?

Critical Risk — Avoid

Score 20/100

WPBookit is critically unsafe with 14 known CVEs, 2 still unpatched. Avoid in production.

14 known CVEs 2 unpatched Last CVE: Mar 3, 2026Updated 2mo ago

Risk Assessment

The wpbookit plugin, despite some positive security practices like consistent use of prepared statements for SQL queries and a high percentage of properly escaped output, exhibits significant security concerns. The static analysis reveals the presence of dangerous functions such as `move_uploaded_file` and `preg_replace(/e)`, which, combined with four taint flows with unsanitized paths, present a tangible risk of code execution or data manipulation. The history of 14 known CVEs, with two currently unpatched and a notable number of critical and high severity vulnerabilities in the past, including XSS, information exposure, CSRF, and SQL injection, strongly suggests a pattern of recurring security weaknesses. This history, coupled with the dangerous functions and unsanitized taint flows, indicates a need for urgent attention to address these vulnerabilities and improve overall code quality to prevent future exploits.

Key Concerns

Unpatched critical CVEs
Unpatched high severity CVEs
Critical taint flows found
High severity taint flows found
Presence of dangerous function move_uploaded_file
Presence of dangerous function preg_replace(/e)

Vulnerabilities

14 published

WPBookit Security Vulnerabilities

CVEs by Year

1 CVE in 2024 · unpatched

2024

11 CVEs in 2025 · unpatched

2025

2 CVEs in 2026

2026

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

14 total CVEs

CVE-2026-1945high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPBookit <= 1.0.8 - Unauthenticated Stored Cross-Site Scripting via 'wpb_user_name' and 'wpb_user_email' Parameters

Mar 3, 2026 Patched in 1.0.9 (1d)

CVE-2026-1980medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

WPBookit <= 1.0.8 - Missing Authorization to Unauthenticated Sensitive Customer Data Exposure

Mar 3, 2026 Patched in 1.0.9 (1d)

CVE-2025-12685medium · 4.3Cross-Site Request Forgery (CSRF)

WPBookit <= 1.0.7 - Cross-Site Request Forgery to Customer Deletion

Dec 12, 2025Unpatched

CVE-2025-12135high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPBookit <= 1.0.6 - Unauthenticated Stored Cross-Site Scripting

Nov 20, 2025 Patched in 1.0.7 (1d)

CVE-2025-7852critical · 9.8Unrestricted Upload of File with Dangerous Type

WPBookit <= 1.0.6 - Unauthenticated Arbitrary File Upload via image_upload_handle Function

Jul 23, 2025 Patched in 1.0.7 (1d)

CVE-2025-6058critical · 9.8Unrestricted Upload of File with Dangerous Type

WPBookit <= 1.0.4 - Unauthenticated Arbitrary File Upload

Jul 11, 2025 Patched in 1.0.5 (1d)

CVE-2025-6057high · 8.8Unrestricted Upload of File with Dangerous Type

WPBookit <= 1.0.4 - Authenticated (Subscriber+) Arbitrary File Upload

Jul 11, 2025 Patched in 1.0.5 (1d)

CVE-2025-3810critical · 9.8Authorization Bypass Through User-Controlled Key

WPBookit <= 1.0.2 - Insecure Direct Object Reference to Unauthenticated Privilege Escalation via Account Takeover

May 8, 2025 Patched in 1.0.3 (1d)

CVE-2025-3811critical · 9.8Authorization Bypass Through User-Controlled Key

WPBookit <= 1.0.2 - Insecure Direct Object Reference to Unauthenticated Privilege Escalation via Email Update

May 8, 2025 Patched in 1.0.3 (1d)

CVE-2025-32254medium · 5.3Missing Authorization

WPBookit <= 1.0.7 - Missing Authorization

Apr 4, 2025 Patched in 1.0.8 (279d)

CVE-2025-26910medium · 6.1Cross-Site Request Forgery (CSRF)

WPBookit <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Mar 9, 2025 Patched in 1.0.2 (6d)

CVE-2025-0357critical · 9.8Unrestricted Upload of File with Dangerous Type

WPBookit <= 1.6.9 - Unauthenticated Arbitrary File Upload

Jan 24, 2025 Patched in 1.6.10 (1d)

CVE-2024-10215critical · 9.8Authorization Bypass Through User-Controlled Key

WPBookit <= 1.6.4 - Unauthenticated Arbitrary User Password Change

Jan 9, 2025 Patched in 1.6.6 (1d)

CVE-2024-54280high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WPBookit <= 1.6.0 - Unauthenticated SQL Injection

Dec 11, 2024Unpatched

Version History

WPBookit Release Timeline

v1.0.9Current4 CVEs

CVE-2025-0357 CVE-2025-12685 CVE-2024-54280 +1 more

v1.0.86 CVEs

CVE-2025-0357 CVE-2025-12685 CVE-2024-54280 +3 more

v1.0.77 CVEs

CVE-2025-0357 CVE-2025-12685 CVE-2024-54280 +4 more

v1.0.69 CVEs

CVE-2025-7852 CVE-2025-0357 CVE-2025-12685 +6 more

v1.0.59 CVEs

CVE-2025-7852 CVE-2025-0357 CVE-2025-12685 +6 more

v1.0.411 CVEs

CVE-2025-7852 CVE-2025-0357 CVE-2025-6058 +8 more

v1.0.311 CVEs

CVE-2025-7852 CVE-2025-0357 CVE-2025-6058 +8 more

v1.0.213 CVEs

CVE-2025-7852 CVE-2025-0357 CVE-2025-6058 +10 more

v1.0.114 CVEs

CVE-2025-7852 CVE-2025-0357 CVE-2025-6058 +11 more

v1.0.014 CVEs

CVE-2025-7852 CVE-2025-0357 CVE-2025-6058 +11 more

Code Analysis

Analyzed Apr 16, 2026

WPBookit Code Analysis

Dangerous Functions

Raw SQL Queries

142 prepared

Unescaped Output

1790 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

move_uploaded_fileif (move_uploaded_file($tmp_file_path, $destination_file_path)) : //phpcs:ignore Generic.PHP.Forbidcore/admin/classes/controllers/class.wpb-booking-type-controller.php:489

preg_replace(/e)preg_replace('/ecore/admin/classes/controllers/class.wpb-setting-controller.php:28

move_uploaded_fileif (move_uploaded_file($tmp_file_path, $destination_file_path)) : // phpcs:ignore Generic.PHP.Forbicore/admin/classes/controllers/class.wpb-setting-controller.php:79

SQL Query Safety

100% prepared142 total queries

Output Escaping

99% escaped1816 total outputs

Data Flows · Security

4 unsanitized

Data Flow Analysis

7 flows4 with unsanitized paths

<html-bookings-history> (templates/shortcodes/profile/html-bookings-history.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WPBookit Attack Surface

Entry Points5

Unprotected0

AJAX Handlers 5

authwp_ajax_wpb_ajax_postcore/admin/classes/class.wpb-admin-routes-handler.php:15

noprivwp_ajax_wpb_ajax_postcore/admin/classes/class.wpb-admin-routes-handler.php:16

authwp_ajax_wpb_ajax_getcore/admin/classes/class.wpb-admin-routes-handler.php:18

noprivwp_ajax_wpb_ajax_getcore/admin/classes/class.wpb-admin-routes-handler.php:19

authwp_ajax_iq_dismiss_noticecore/class-wpbookit.php:197

WordPress Hooks 53

actionadmin_menucore/admin/classes/class.wpb-admin.php:13

filteradmin_titlecore/admin/classes/class.wpb-admin.php:19

actionwp_loadedcore/admin/classes/class.wpb-admin.php:20

actionadmin_enqueue_scriptscore/admin/classes/class.wpb-admin.php:23

actionadmin_enqueue_scriptscore/admin/classes/class.wpb-admin.php:24

actionadmin_headcore/admin/classes/class.wpb-admin.php:27

actionwpbookit_settings_before_main_contentcore/admin/classes/class.wpb-admin.php:30

actionwpbookit_settings_before_contentcore/admin/classes/class.wpb-admin.php:31

actionwpbookit_settings_after_main_contentcore/admin/classes/class.wpb-admin.php:32

actionadmin_footercore/admin/classes/class.wpb-admin.php:33

filterwpbookit_settings_tabs_arraycore/admin/classes/settings/class.wpb-settings-page.php:34

actionadmin_noticescore/class-wpbookit.php:196

actioninitcore/includes/abstracts/abstract-wpb-import.php:20

filterwpb_available_import_filescore/includes/abstracts/abstract-wpb-import.php:22

filterrewrite_rules_arraycore/includes/classes/class-wpb-permalink-handler.php:6

filterquery_varscore/includes/classes/class-wpb-permalink-handler.php:7

actiontemplate_redirectcore/includes/classes/class-wpb-permalink-handler.php:8

actioninitcore/includes/classes/class-wpb-permalink-handler.php:9

actionwpb_enqueue_scriptcore/includes/classes/class-wpb-permalink-handler.php:11

actionadmin_post_nopriv_cancel_bookingcore/includes/classes/class-wpb.booking-cancellation.php:16

actionadmin_post_cancel_bookingcore/includes/classes/class-wpb.booking-cancellation.php:17

filternonce_user_logged_outcore/includes/classes/class-wpb.booking-cancellation.php:25

actioninitcore/includes/classes/class.wpb-helpers.php:25

actioninitcore/includes/classes/class.wpb-install.php:20

actioninitcore/includes/classes/class.wpb-install.php:22

actionshow_user_profilecore/includes/classes/class.wpb-install.php:24

actionedit_user_profilecore/includes/classes/class.wpb-install.php:25

actionpersonal_options_updatecore/includes/classes/class.wpb-install.php:26

actionedit_user_profile_updatecore/includes/classes/class.wpb-install.php:27

actionadmin_initcore/includes/classes/class.wpb-install.php:31

actionadmin_initcore/includes/classes/class.wpb-install.php:32

filterwp_mail_content_typecore/includes/wpb-core-functions.php:187

actionwpb_before_booking_insertcore/includes/wpb-guest-users-functions.php:73

actionwpbookit_edit_profile_hookcore/includes/wpb-template-hooks.php:18

actionwpbookit_bookings_history_hookcore/includes/wpb-template-hooks.php:19

actionwpbookit_upcoming_bookings_hookcore/includes/wpb-template-hooks.php:20

actionwpbookit_pending_bookings_hookcore/includes/wpb-template-hooks.php:21

actionwpbookit_booking_no_upcoming_hookcore/includes/wpb-template-hooks.php:22

actionwpbookit_booking_no_pending_hookcore/includes/wpb-template-hooks.php:23

actionwpbookit_booking_no_history_hookcore/includes/wpb-template-hooks.php:24

actionwpbookit_booking_types_hookcore/includes/wpb-template-hooks.php:29

actionwpbookit_bookings_timeslot_hookcore/includes/wpb-template-hooks.php:32

actionwpbookit_booking_shortcode_tabs_hookcore/includes/wpb-template-hooks.php:33

actionwpbookit_booking_shortcode_detail_tabcore/includes/wpb-template-hooks.php:35

actionwpbookit_booking_shortcode_payment_tabcore/includes/wpb-template-hooks.php:36

actionwpbookit_booking_shortcode_model_paginationcore/includes/wpb-template-hooks.php:37

actionwpbookit_booking_shortcode_aftercore/includes/wpb-template-hooks.php:40

actionwpbookit_add_booking_type_formcore/includes/wpb-template-hooks.php:43

actionwpbookit_booking_shortcode_formcore/includes/wpb-template-hooks.php:45

actionwpbookit_booking_shortcode_form_question_typecore/includes/wpb-template-hooks.php:46

actionwpbookit_booking_shortcode_user_name_fieldscore/includes/wpb-template-hooks.php:47

actionwpbookit_add_navbar_menucore/includes/wpb-template-hooks.php:53

actionadmin_footercore/shortcodes/class-wpbookit-shortcode-abstract.php:133

Scheduled Events 1

wpb_customer_booking_reminder

Maintenance & Trust

WPBookit Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 23, 2026

PHP min version8.0

Downloads4K

Community Trust

Rating0/100

Number of ratings0

Active installs10

Alternatives

WPBookit Alternatives

No alternatives data available yet.

Developer Profile

WPBookit Developer Profile

Iqonic Design

6 plugins · 17K total installs

trust score

Avg Security Score

81/100

Avg Patch Time

62 days

View full developer profile

Detection Fingerprints

How We Detect WPBookit

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wpbookit/core/admin/assets/src/css/app.css/wp-content/plugins/wpbookit/core/admin/assets/src/css/rtl.css/wp-content/plugins/wpbookit/core/admin/assets/vendor/css/bootstrap.js

Script Paths

/wp-content/plugins/wpbookit/core/admin/assets/src/js/app.js/wp-content/plugins/wpbookit/core/admin/assets/src/js/vendor/moment.min.js/wp-content/plugins/wpbookit/core/admin/assets/src/js/vendor/moment-timezone-with-data.min.js/wp-content/plugins/wpbookit/core/admin/assets/src/js/vendor/flatpickr.min.js/wp-content/plugins/wpbookit/core/admin/assets/src/js/vendor/sweetalert.min.js/wp-content/plugins/wpbookit/core/admin/assets/src/js/vendor/vue.js+28 more

Version Parameters

wpbookit/style.css?ver=wpbookit/script.js?ver=wpbookit-dashbord?ver=wpbookit-font-family?ver=wpbookit-dashbord?ver=wpb-custom-code-css?ver=wpb-custom-code-js?ver=

HTML / DOM Fingerprints

CSS Classes

wpbookit-dashbordwpb-custom-code-csswpb-custom-code-jsiqwPB-backend-wrapperwpb-settings-pagewpb-settings-tabs-wrapperwpb-setting-section-headerwpb-setting-section-title+19 more

HTML Comments

HELPER COMMENT STARTHELPER COMMENT END

Data Attributes

data-wpbookit-dashboarddata-wpbookit-settingsdata-wpbookit-appointmentsdata-wpbookit-customersdata-wpbookit-payment-gatewaysdata-wpbookit-calendar+6 more

JS Globals

WPBOOKITIQWPB_VERSIONIQWPB_PLUGIN_URLwpbookit_custom_codewindow.Vuewindow.VueI18n+10 more

FAQ