A missing file-type validation flaw in the Instant Appointment plugin for WordPress (versions ≤ 1.2) lets unauthenticated attackers upload arbitrary files, potentially leading to remote code execution, and carries a CVSS score of 9.8.
What Is It
CVE-2026-15282 is an arbitrary file upload vulnerability (CWE-434) in the Instant Appointment plugin for WordPress, developed by tenteeglobal. The flaw stems from missing file type validation in the insapp_upload_image_as_attachment function. Because the affected code path does not restrict what kind of file is accepted, unauthenticated attackers can upload arbitrary files to the affected site's server, which may make remote code execution possible.
Why It Matters
The vulnerability is rated CRITICAL with a CVSS 3.1 base score of 9.8 (vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). It requires no authentication, no privileges, and no user interaction, and is exploitable over the network with low attack complexity. Confidentiality, integrity, and availability impacts are all rated HIGH. An attacker who uploads a malicious file and achieves code execution could gain full control over the hosting server.
What's Vulnerable
- Vendor: tenteeglobal
- Product: Instant Appointment plugin for WordPress
- Affected versions: All versions up to and including 1.2
Patch Status
The supplied source material does not list a fixed version or CISA KEV entry. There is no confirmation of active exploitation in the provided KEV data, and no vendor-specified required action is included in this record. Administrators running Instant Appointment ≤ 1.2 should treat the plugin as exposed pending a vendor update.