SYS::ONLINE
Wasteland.
Briefs1149
Issues18
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-15282 2026-07-10

CVE-2026-15282: Critical Unauthenticated File Upload in WordPress Instant Appointment Plugin

"A missing file-type validation flaw in the Instant Appointment plugin for WordPress (versions ≤ 1.2) lets unauthenticated attackers upload arbitrary files, potentially leading to remote code execution, and carries a…"

A missing file-type validation flaw in the Instant Appointment plugin for WordPress (versions ≤ 1.2) lets unauthenticated attackers upload arbitrary files, potentially leading to remote code execution, and carries a CVSS score of 9.8.

What Is It

CVE-2026-15282 is an arbitrary file upload vulnerability (CWE-434) in the Instant Appointment plugin for WordPress, developed by tenteeglobal. The flaw stems from missing file type validation in the insapp_upload_image_as_attachment function. Because the affected code path does not restrict what kind of file is accepted, unauthenticated attackers can upload arbitrary files to the affected site's server, which may make remote code execution possible.

Why It Matters

The vulnerability is rated CRITICAL with a CVSS 3.1 base score of 9.8 (vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). It requires no authentication, no privileges, and no user interaction, and is exploitable over the network with low attack complexity. Confidentiality, integrity, and availability impacts are all rated HIGH. An attacker who uploads a malicious file and achieves code execution could gain full control over the hosting server.

What's Vulnerable

Patch Status

The supplied source material does not list a fixed version or CISA KEV entry. There is no confirmation of active exploitation in the provided KEV data, and no vendor-specified required action is included in this record. Administrators running Instant Appointment ≤ 1.2 should treat the plugin as exposed pending a vendor update.

Sources