CRITICALVulnerability
Verified
Global

NVD CRITICAL: CVE-2026-15282 — The Instant Appointment plugin for WordPress is vulnerable to arbitrary file upl...

·Source: NIST NVD

Updated:

Executive Summary

The Instant Appointment plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'insapp_upload_image_as_attachment' function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Analysis

The Instant Appointment plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'insapp_upload_image_as_attachment' function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. CVSS Score: 9.8. Published: 2026-07-10T05:16:30.820.

Indicators of Compromise (1)

CVE (1)
CVE-2026-15282
Source Attribution

Originally published by NIST NVD on Jul 10, 2026. Verified by: NIST.

Related Threats