Does WPCal.io – Easy Meeting Scheduler have any unpatched vulnerabilities?

No. All known vulnerabilities in WPCal.io – Easy Meeting Scheduler have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WPCal.io – Easy Meeting Scheduler compatible with WordPress 6.4.8?

According to WordPress.org data, WPCal.io – Easy Meeting Scheduler 0.9.5.10 has been tested up to WordPress 6.4.8. Check the plugin's changelog for the latest compatibility information.

Is WPCal.io – Easy Meeting Scheduler compatible with PHP 7.1+?

WPCal.io – Easy Meeting Scheduler requires PHP 7.1 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WPCal.io – Easy Meeting Scheduler updated?

WPCal.io – Easy Meeting Scheduler was last updated on Nov 18, 2025. Frequent updates are generally a positive security signal.

What is WPCal.io – Easy Meeting Scheduler's security score?

WPCal.io – Easy Meeting Scheduler has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WPCal.io – Easy Meeting Scheduler Security & Risk Analysis

wordpress.org/plugins/wpcal

Your clients can quickly view your real-time availability and self-book their own slots, and eliminate all back-and-forth emailing.

1K active installs v0.9.5.10 PHP 7.1+ WP 5.0+ Updated Nov 18, 2025

appointmentbookinginterviewmeetingscheduling

A · Safe

CVEs total2

Unpatched0

Last CVEDec 30, 2025

Plugin page Download

Safety Verdict

Is WPCal.io – Easy Meeting Scheduler Safe to Use in 2026?

Generally Safe

Score 98/100

WPCal.io – Easy Meeting Scheduler has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Dec 30, 2025Updated 4mo ago

Risk Assessment

The wpcal plugin v0.9.5.10 exhibits a mixed security posture. While it demonstrates good practices in its SQL query handling, with a high percentage of prepared statements, and a reasonable number of capability checks, several areas raise significant concerns. The presence of three AJAX handlers without authentication checks creates a substantial attack surface that could be exploited by unauthenticated users. Furthermore, a concerning 75% of output operations are not properly escaped, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. Taint analysis also revealed three flows with unsanitized paths, though thankfully none reached critical or high severity in this static scan.

The plugin's vulnerability history is also a point of concern, with two known medium-severity CVEs recorded, specifically related to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). The fact that the last vulnerability was recorded relatively recently (December 2025) suggests a recurring pattern of introducing security weaknesses. While there are currently no unpatched CVEs, the history of past vulnerabilities, combined with the identified code signals like unauthenticated AJAX endpoints and insufficient output escaping, paints a picture of a plugin that requires careful attention to security, despite some positive aspects like robust SQL usage.

Key Concerns

3 unprotected AJAX handlers
Low percentage of properly escaped output (25%)
3 unsanitized path taint flows
2 medium severity CVEs in history
1 file operation
Bundled library (Guzzle)

Vulnerabilities

WPCal.io – Easy Meeting Scheduler Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-66103medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPCal.io <= 0.9.5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 30, 2025 Patched in 0.9.5.10 (7d)

CVE-2024-32795medium · 4.3Cross-Site Request Forgery (CSRF)

WPCal.io – Easy Meeting Scheduler <= 0.9.5.8 - Cross-Site Request Forgery

Apr 22, 2024 Patched in 0.9.5.9 (24d)

Code Analysis

Analyzed Mar 16, 2026

WPCal.io – Easy Meeting Scheduler Code Analysis

Dangerous Functions

Raw SQL Queries

251 prepared

Unescaped Output

147

48 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Guzzle

SQL Query Safety

93% prepared270 total queries

Output Escaping

25% escaped195 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

4 flows3 with unsanitized paths

wpcal_listen_and_may_redirect (includes\app_func.php:3357)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

WPCal.io – Easy Meeting Scheduler Attack Surface

Entry Points4

Unprotected3

AJAX Handlers 3

authwp_ajax_wpcal_process_admin_ajax_requestincludes\class_init_admin.php:48

noprivwp_ajax_wpcal_process_user_ajax_requestincludes\class_init_user.php:107

authwp_ajax_wpcal_process_user_ajax_requestincludes\class_init_user.php:108

Shortcodes 1

[wpcal] includes\class_init_user.php:103

WordPress Hooks 25

filteroption_nav_menu_optionsincludes\app_func.php:456

filtercron_schedulesincludes\class_cron.php:20

actionwpcal_api_task_cronincludes\class_cron.php:21

actionwpcal_local_task_cronincludes\class_cron.php:22

actionwpcal_misc_cronincludes\class_cron.php:23

actioninitincludes\class_init.php:22

actioninitincludes\class_init.php:24

actionafter_setup_themeincludes\class_init.php:28

filteroption_aj_exclusionsincludes\class_init.php:80

filterpre_update_option_aj_exclusionsincludes\class_init.php:81

actionadmin_menuincludes\class_init_admin.php:40

actionadmin_enqueue_scriptsincludes\class_init_admin.php:46

actionadmin_initincludes\class_init_admin.php:50

actionupdate_option_timezone_stringincludes\class_init_admin.php:52

filterplugin_action_linksincludes\class_init_admin.php:54

actionadmin_noticesincludes\class_init_admin.php:56

actionadmin_initincludes\class_init_admin.php:61

filteradmin_body_classincludes\class_init_admin.php:65

actionadmin_enqueue_scriptsincludes\class_init_admin.php:113

actionadmin_enqueue_scriptsincludes\class_init_admin.php:114

actionadmin_enqueue_scriptsincludes\class_init_admin.php:117

actionwp_headincludes\class_init_user.php:17

actioninitincludes\class_init_user.php:18

actionwp_headincludes\class_init_user.php:20

actionadmin_noticesincludes\class_license_auth.php:569

Scheduled Events 3

wpcal_api_task_cron

wpcal_local_task_cron

wpcal_misc_cron

Maintenance & Trust

WPCal.io – Easy Meeting Scheduler Maintenance & Trust

Maintenance Signals

WordPress version tested6.4.8

Last updatedNov 18, 2025

PHP min version7.1

Downloads32K

Community Trust

Rating92/100

Number of ratings20

Active installs1K

Alternatives

WPCal.io – Easy Meeting Scheduler Alternatives

SuperSaaS – online appointment scheduling

supersaas-appointment-scheduling

SuperSaaS is a flexible appointment scheduling system that works with many different businesses. The basic version is free.

1K 2 CVEs

Nav Zoom Meet

nav-zoom-meet

100

This plugin will help you to manage zoom meetings from wordpress admin panel with basic or pro Zoom plan.

0 No CVEs

LatePoint – Calendar Booking Plugin for Appointments and Events

latepoint

Optimize your appointment scheduling with our plugin. Sync calendars, automate reminders, and keep your bookings organized.

100K 2 unpatched

Booking for Appointments and Events Calendar – Amelia

ameliabooking

Amelia is a powerful booking plugin for appointments and events. Manage scheduling, calendars, and availability with an all-in-one booking system.

90K 23 CVEs

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

simply-schedule-appointments

Unlimited appointments, booking calendars, and notifications. Powerful appointment booking plugin and booking system. Start scheduling for free today!

60K 21 CVEs

Developer Profile

WPCal.io – Easy Meeting Scheduler Developer Profile

revmakx

6 plugins · 224K total installs

trust score

Avg Security Score

92/100

Avg Patch Time

704 days

View full developer profile

Detection Fingerprints

How We Detect WPCal.io – Easy Meeting Scheduler

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wpcal/assets/css/wpcal-user.css/wp-content/plugins/wpcal/assets/js/wpcal-user.js/wp-content/plugins/wpcal/assets/js/wpcal-admin.js/wp-content/plugins/wpcal/assets/css/wpcal-admin.css/wp-content/plugins/wpcal/assets/css/wpcal-admin-calendar.css/wp-content/plugins/wpcal/assets/js/wpcal-admin-calendar.js/wp-content/plugins/wpcal/assets/css/wpcal-admin-calendar-view.css/wp-content/plugins/wpcal/assets/js/wpcal-admin-calendar-view.js+2 more

Script Paths

/wp-content/plugins/wpcal/assets/js/wpcal-user.js/wp-content/plugins/wpcal/assets/js/wpcal-admin.js/wp-content/plugins/wpcal/assets/js/wpcal-admin-calendar.js/wp-content/plugins/wpcal/assets/js/wpcal-admin-calendar-view.js/wp-content/plugins/wpcal/assets/js/wpcal-admin-settings.js

Version Parameters

wpcal/assets/css/wpcal-user.css?ver=wpcal/assets/js/wpcal-user.js?ver=wpcal/assets/js/wpcal-admin.js?ver=wpcal/assets/css/wpcal-admin.css?ver=wpcal/assets/css/wpcal-admin-calendar.css?ver=wpcal/assets/js/wpcal-admin-calendar.js?ver=wpcal/assets/css/wpcal-admin-calendar-view.css?ver=wpcal/assets/js/wpcal-admin-calendar-view.js?ver=wpcal/assets/css/wpcal-admin-settings.css?ver=wpcal/assets/js/wpcal-admin-settings.js?ver=

HTML / DOM Fingerprints

CSS Classes

wpcal-booking-wrapperwpcal-admin-wrapperwpcal-user-avatarwpcal-service-titlewpcal-service-descriptionwpcal-service-pricewpcal-booking-formwpcal-admin-calendar+2 more

HTML Comments

Data Attributes

data-wpcal-service-iddata-wpcal-booking-iddata-wpcal-admin-actiondata-wpcal-current-user-id

JS Globals

__wpcal_dist_urlwpcal_global_settingswpcal_user_data

REST Endpoints

/wp-json/wpcal/v1/booking/wp-json/wpcal/v1/admin/settings/wp-json/wpcal/v1/admin/services/wp-json/wpcal/v1/admin/bookings

Shortcode Output

[wpcal_booking][wpcal_admin_panel][wpcal_service][wpcal_availability]

FAQ