Product
An unauthenticated attacker can exploit CVE-2026-15282, an arbitrary file upload vulnerability due to missing file type validation in the `insapp_upload_image_as_attachment` function of the WordPress Instant Appointment plugin up to version 1.2, to upload malicious files and achieve remote code execution on the affected server.