Exposures › CVE-2026-15282
A WordPress plugin allows unauthenticated attackers to upload arbitrary files, potentially enabling remote code execution.
The Instant Appointment plugin lacks file type validation, permitting unauthenticated attackers to upload files that could lead to remote code execution. While not directly tied to a specific vendor or FedRAMP breach, this vulnerability highlights the risk of third-party software in DIB environments where unpatched plugins can compromise system integrity and data confidentiality.
Shame score — The vulnerability is a known issue in a third-party plugin that could be exploited if not patched, but it does not involve a vendor failure or negligence.
The Instant Appointment plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'insapp_upload_image_as_attachment' function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
No correlated FedRAMP products.