{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39620", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:27.974Z", "datePublished": "2026-04-08T08:30:26.089Z", "dateUpdated": "2026-04-08T08:30:26.089Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "appointment", "product": "Appointment", "vendor": "priyanshumittal", "versions": [{"lessThanOrEqual": "3.5.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:38.613Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Appointment appointment allows Upload a Web Shell to a Web Server.<p>This issue affects Appointment: from n/a through <= 3.5.5.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Appointment appointment allows Upload a Web Shell to a Web Server.This issue affects Appointment: from n/a through <= 3.5.5."}], "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "Upload a Web Shell to a Web Server"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:26.089Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/appointment/vulnerability/wordpress-appointment-theme-3-5-5-cross-site-request-forgery-csrf-to-arbitrary-file-upload-vulnerability?_s_id=cve"}], "title": "WordPress Appointment theme <= 3.5.5 - Cross Site Request Forgery (CSRF) to Arbitrary File Upload vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Appointment appointment allows Upload a Web Shell to a Web Server.This issue affects Appointment: from n/a through <= 3.5.5."}], "id": "CVE-2026-39620", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:32.110", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/appointment/vulnerability/wordpress-appointment-theme-3-5-5-cross-site-request-forgery-csrf-to-arbitrary-file-upload-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.5.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Appointment", "source": "cna", "vendor": "priyanshumittal"}, "product": "appointment", "vendor": "priyanshumittal"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:13:34.526230+00:00", "value": {"mitigation_remediation": ["Update the Appointment theme to a version newer than 3.5.5 if one is available from the vendor.", "If an update cannot be applied immediately, disable or block the file\u2011upload endpoint in the theme\u2019s code or via a web server rule.", "Configure the server or use a security plugin to allow only approved file types for upload, rejecting all other extensions.", "After applying a fix or mitigation, audit the site for any unauthorized or suspicious files and monitor request logs for abnormal upload activity."], "summary": {"action": "Apply Patch", "impact": "Arbitrary File Upload via CSRF"}, "threat_synthesis": {"affected_systems": "The flaw is present in the Appointment theme created by priyanshumittal and applies to every released version up to and including 3.5.5; no newer versions are identified in the CVE entry.", "description_and_impact": "A Cross\u2011Site Request Forgery flaw in the WordPress Appointment theme lets a user upload an arbitrary file to the web server without any authentication checks. By uploading a malicious script such as a PHP web shell, an attacker can obtain remote code execution and compromise the integrity and confidentiality of the affected WordPress site.", "risk_and_exploitability": "The vulnerability requires the attacker to get a victim to follow a crafted request that triggers the upload endpoint. Because the request is not protected by a CSRF token, any user who loads a malicious page can trigger the upload, making the attack relatively easy if influential users can be lured. While the EPSS score is not available and the flaw is not listed in the CISA KEV catalog, the possibility of arbitrary file upload gives the vulnerability a high potential for exploitation should an attacker gain the ability to generate the required request."}}}}, "created": "2026-04-08T19:29:39.493296+00:00", "updated": "2026-04-08T19:41:56.435856+00:00", "vendors": ["priyanshumittal", "priyanshumittal$PRODUCT$appointment", "wordpress", "wordpress$PRODUCT$wordpress"]}