CRITICAL
tenteeglobal
CVE published 2026-07-10
CVE-2026-15282
The Instant Appointment plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'insapp_upload_image_as_attachment' function in all versions up to, and including, 1.2. This vulnerability allows unauthenticated attackers to upload arbitrary files on the affected site's server, potentially enabling remote code execution. Users should review their deployments, [truncated]