COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-15282

CVE-2026-15282

Severity
critical
Source
NVD · cve
Published
2026-07-10
CVSS
9.8
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-15282
⚡ RCE shame 45/100 rceunpatchedexploited-in-wild

A WordPress plugin allows unauthenticated attackers to upload arbitrary files, potentially enabling remote code execution.

The Instant Appointment plugin lacks file type validation, permitting unauthenticated attackers to upload files that could lead to remote code execution. While not directly tied to a specific vendor or FedRAMP breach, this vulnerability highlights the risk of third-party software in DIB environments where unpatched plugins can compromise system integrity and data confidentiality.

Shame score — The vulnerability is a known issue in a third-party plugin that could be exploited if not patched, but it does not involve a vendor failure or negligence.

Description

The Instant Appointment plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'insapp_upload_image_as_attachment' function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affected FedRAMP products 0 in the catalog

No correlated FedRAMP products.