Arbitrary File Upload Vulnerability in Instant Appointment Plugin for WordPress
CVE-2026-15282
9.8CRITICAL
What is CVE-2026-15282?
The Instant Appointment plugin for WordPress is susceptible to arbitrary file uploads due to inadequate file type validation in its 'insapp_upload_image_as_attachment' function. This flaw affects all versions up to and including 1.2, allowing unauthenticated attackers to upload arbitrary files to the server hosting the affected site. Such unauthorized file uploads can potentially result in remote code execution, posing significant security risks to the website's integrity and confidentiality.
Affected Version(s)
Instant Appointment 0 <= 1.2