External risk intelligence

WordPress Instant Appointment Plugin Arbitrary File Upload Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-15282

The vulnerability exists in a WordPress plugin designed for public-facing appointment scheduling. As a web-based plugin accessible via front-end AJAX functions, it is intended for use by external site visitors, making the attack surface public-facing by design.

Unrestricted File Upload

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the Instant Appointment plugin for WordPress allows unauthenticated attackers to upload arbitrary files. This could potentially lead to the execution of malicious code on your website's server, impacting its integrity and availability.

  • Allows attackers to upload harmful files.
  • Critical security flaw in a public-facing plugin.
  • Verify if this plugin is in use and assess exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can upload arbitrary files to a WordPress site by targeting the Instant Appointment plugin. The vulnerability lies in a function that fails to properly validate uploaded file types. This exposure could allow an attacker to place malicious files on the server, potentially leading to remote code execution.

  • No authentication required to attack.
  • Uploading an image triggers the vulnerability.
  • Risk of remote code execution exists.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, unauthenticated attackers could upload arbitrary files to the affected WordPress site's server, potentially leading to remote code execution. This could impact the integrity and availability of the website and its underlying server.

  • Website files and server access.
  • Arbitrary file uploads.
  • Server compromise and code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

Real-world ownership of this vulnerability likely falls to the application owner or platform team responsible for the WordPress environment, as it affects a plugin. The initial practical step is to inventory all WordPress sites utilizing the Instant Appointment plugin, determine if any instances are internet-facing or host critical data, and identify the specific owner for each instance to prioritize remediation efforts.

  • Application owners must be accountable.
  • Verify plugin presence and exposure.
  • Plan coordinated vendor and site updates.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Instant Appointment WordPress plugin?

Instant Appointment is a WordPress plugin used by website administrators to manage and automate booking or scheduling directly through their site. It typically provides a front-end interface for users to select services and time slots, acting as a functional bridge between the public visitor and the site's database.

What does CVE-2026-15282 mean for security?

This vulnerability is classified as Unrestricted Upload of File with Dangerous Type (CWE-434). It means the plugin lacks necessary checks to verify the type of files being uploaded. Because the software fails to confirm that a user is only uploading valid images, an attacker can bypass these defenses to place unauthorized files on the server.

How is this file upload vulnerability triggered?

The vulnerability is triggered when an attacker interacts with the insapp_upload_image_as_attachment function. No authentication is required, meaning anyone can reach this endpoint. Simply navigating to a page that uses the plugin is not enough; the bug specifically requires the attacker to actively submit a file through the vulnerable function.

Is my site at risk according to Halo Surface Signal?

Halo Surface Signal identifies this as a high-priority risk because the plugin is designed for public-facing appointment scheduling. Since the vulnerable AJAX functions are meant to be accessed by external site visitors, the attack surface is exposed by design to anyone on the internet, rather than being restricted to internal network users.

Do I need to take action if I use this plugin?

Yes. First, perform an inventory to confirm if you are running the Instant Appointment plugin on any of your WordPress instances. Once identified, treat all internet-facing sites as high priority. You should determine who owns these sites and coordinate with them to disable or remove the plugin until a secure update is verified.

References