Description
Unrestricted Upload of File with Dangerous Type vulnerability in appointify Appointify appointify allows Upload a Web Shell to a Web Server.This issue affects Appointify: from n/a through <= 1.0.8.
Published: 2025-03-31
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Appointify plugin for WordPress contains an unrestricted file upload flaw that allows an attacker to upload files with dangerous types, such as PHP scripts. By uploading a malicious web shell, an attacker can gain code execution on the web server, which can lead to full system compromise and data exfiltration. This weakness is identified as CWE-434 and directly undermines the confidentiality, integrity, and availability of the affected site.

Affected Systems

The vulnerability affects every installation of the Appointify plugin version 1.0.8 and earlier. Sites running WordPress with this plugin version are at risk, regardless of the site's domain or size. All users of Appointify <= 1.0.8 on any WordPress installation share the same exposure.

Risk and Exploitability

The CVSS score for this flaw is 6.6, indicating a moderate severity. The EPSS score is reported as less than 1 percent, showing that exploit activity is currently very rare. The plugin is not listed in CISA’s KEV catalog. Attackers would need remote access to the upload interface of the plugin, which is typically exposed via the WordPress admin panel. If an attacker succeeds, they can execute arbitrary PHP code, creating a full compromise. Given the moderate CVSS and low EPSS, the overall risk is considered moderate but warrants prompt remediation.

Generated by OpenCVE AI on May 1, 2026 at 02:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Appointify plugin to version 1.0.9 or later.
  • If an upgrade cannot be performed immediately, disable the plugin or remove its upload functionality until a patch is applied.
  • Clean the upload directory of all previously uploaded files with dangerous extensions and ensure the directory is not executable by the web server.
  • Enforce strict file type validation on the upload interface, allowing only non-executable types such as images or predefined safe formats.

Generated by OpenCVE AI on May 1, 2026 at 02:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8794 Unrestricted Upload of File with Dangerous Type vulnerability in appointify Appointify allows Upload a Web Shell to a Web Server. This issue affects Appointify: from n/a through 1.0.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in appointify Appointify allows Upload a Web Shell to a Web Server. This issue affects Appointify: from n/a through 1.0.8. Unrestricted Upload of File with Dangerous Type vulnerability in appointify Appointify appointify allows Upload a Web Shell to a Web Server.This issue affects Appointify: from n/a through <= 1.0.8.
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L'}

Mon, 31 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 13:00:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in appointify Appointify allows Upload a Web Shell to a Web Server. This issue affects Appointify: from n/a through 1.0.8.
Title WordPress Appointify plugin <= 1.0.8 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:09.348Z

Reserved: 2025-03-31T10:05:51.138Z

Link: CVE-2025-31577

cve-icon Vulnrichment

Updated: 2025-03-31T14:09:22.968Z

cve-icon NVD

Status : Deferred

Published: 2025-03-31T13:15:51.240

Modified: 2026-04-23T15:27:59.927

Link: CVE-2025-31577

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T03:00:08Z

Weaknesses