CVE-2026-15282
The Instant Appointment plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'insapp_uplo
CVSS
9.8
Crítico
EPSS
0.7%
p51
KEV
—
Exploit Today
15
0-100
Publicado: 10 jul 2026 · Última mod.: 14 jul 2026 · CWE-434
0.7%EPSS · 30 días0.7%
2026-07-102026-07-17
The Instant Appointment plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'insapp_upload_image_as_attachment' function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/instant-appointment/trunk/includes/ajax/ajax_services.php#L3
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/instant-appointment/trunk/includes/front-end/ajax/login_ajax.php#L584
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/instant-appointment/trunk/includes/front-end/ajax/login_ajax.php#L598
- www.wordfence.comhttps://www.wordfence.com/threat-intel/vulnerabilities/id/097b1530-64fa-45b2-85f3-c6a2311405b5?source=cve
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2026-562909.8 CRÍ85.4%
KEV—76Joomlack Page Builder Improper Access Control Vulnerability9dCVE-2026-489089.8 CRÍ72.6%
KEV—72JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability9dCVE-2026-489399.8 CRÍ71.5%
KEV—71iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability7dCVE-2026-562919.8 CRÍ53.7%
KEV—66Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability7dCVE-2023-388368.8 ALT99.3%
——30File Upload vulnerability in BoidCMS v.2.0.0 allows a remote attacker to execute arbitrary code by adding a GIF header to bypass MIME type checks.9dCVE-2023-464747.2 ALT97.3%
——29File Upload vulnerability PMB v.7.4.8 allows a remote attacker to execute arbitrary code and escalate privileges via a crafted PHP file uploaded to the start_import.php file.9d