Description
Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Appointment appointment allows Upload a Web Shell to a Web Server.This issue affects Appointment: from n/a through <= 3.5.5.
Published: 2026-04-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Upload via CSRF
Action: Apply Patch
AI Analysis

Impact

A Cross‑Site Request Forgery flaw in the WordPress Appointment theme lets a user upload an arbitrary file to the web server without any authentication checks. By uploading a malicious script such as a PHP web shell, an attacker can obtain remote code execution and compromise the integrity and confidentiality of the affected WordPress site.

Affected Systems

The flaw is present in the Appointment theme created by priyanshumittal and applies to every released version up to and including 3.5.5; no newer versions are identified in the CVE entry.

Risk and Exploitability

The vulnerability requires the attacker to get a victim to follow a crafted request that triggers the upload endpoint. Because the request is not protected by a CSRF token, any user who loads a malicious page can trigger the upload, making the attack relatively easy if influential users can be lured. While the EPSS score is not available and the flaw is not listed in the CISA KEV catalog, the possibility of arbitrary file upload gives the vulnerability a high potential for exploitation should an attacker gain the ability to generate the required request.

Generated by OpenCVE AI on April 8, 2026 at 10:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Appointment theme to a version newer than 3.5.5 if one is available from the vendor.
  • If an update cannot be applied immediately, disable or block the file‑upload endpoint in the theme’s code or via a web server rule.
  • Configure the server or use a security plugin to allow only approved file types for upload, rejecting all other extensions.
  • After applying a fix or mitigation, audit the site for any unauthorized or suspicious files and monitor request logs for abnormal upload activity.

Generated by OpenCVE AI on April 8, 2026 at 10:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Priyanshumittal
Priyanshumittal appointment
Wordpress
Wordpress wordpress
Vendors & Products Priyanshumittal
Priyanshumittal appointment
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Appointment appointment allows Upload a Web Shell to a Web Server.This issue affects Appointment: from n/a through <= 3.5.5.
Title WordPress Appointment theme <= 3.5.5 - Cross Site Request Forgery (CSRF) to Arbitrary File Upload vulnerability
Weaknesses CWE-352
References

Subscriptions

Priyanshumittal Appointment
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T08:30:26.089Z

Reserved: 2026-04-07T10:57:27.974Z

Link: CVE-2026-39620

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:32.110

Modified: 2026-04-08T21:26:35.910

Link: CVE-2026-39620

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:41:56Z

Weaknesses