Back to overview

CVE-2026-15282

CRITICAL
9.8
CVSS 3.1
Description
The Instant Appointment plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'insapp_upload_image_as_attachment' function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Metadata

CVE ID
CVE-2026-15282
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-07-09 15:48 UTC
Published
2026-07-10 04:31 UTC
Last updated
2026-07-10 04:31 UTC
Primary CWE
CWE-434
CWE-434 Unrestricted Upload of File with Dangerous Type
Vendor / Product
tenteeglobal / Instant Appointment
Sources
cve.org  ·  NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
tenteeglobal Instant Appointment 0 ≤ 1.2
Weakness (CWE)
CWESourceDescription
CWE-434 cna CWE-434 Unrestricted Upload of File with Dangerous Type
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.8 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Back to overview