Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Appointment appointment allows Upload a Web Shell to a Web Server.This issue affects Appointment: from n/a through <= 3.5.5.
AnalysisAI
WordPress Appointment theme versions through 3.5.5 suffer from Cross-Site Request Forgery (CSRF) enabling unauthenticated attackers to upload malicious web shells to the server. With CVSS 9.6 (Critical) and a changed scope, successful exploitation grants attackers remote code execution capabilities with high impact to confidentiality, integrity, and availability. EPSS probability is low (0.01%, 1st percentile), and no public exploit identified at time of analysis, though the CSRF-to-RCE chain represents a serious threat requiring immediate patching.
Technical ContextAI
This vulnerability affects the Appointment WordPress theme (CPE: cpe:2.3:a:priyanshumittal:appointment) developed by priyanshumittal. The root cause is CWE-352 (Cross-Site Request Forgery), where the theme fails to implement proper anti-CSRF tokens or nonce validation on file upload functionality. WordPress themes typically handle file uploads for customization features like logo uploads, background images, or media management. Without CSRF protection, an attacker can craft a malicious HTML form that, when visited by an authenticated WordPress administrator, automatically submits a file upload request to the vulnerable endpoint. The critical escalation occurs because the CSRF vulnerability is chained with unrestricted file upload, allowing arbitrary file types including PHP web shells. Once uploaded, these shells provide a persistent backdoor for remote code execution on the web server, effectively converting a CSRF flaw into full server compromise.
RemediationAI
Immediately upgrade the Appointment theme to a version newer than 3.5.5 if available, checking the theme's official repository or marketplace listing for patched releases. As of this analysis, no specific patched version number is confirmed from available data sources - administrators should monitor the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/appointment/vulnerability/wordpress-appointment-theme-3-5-5-cross-site-request-forgery-csrf-to-arbitrary-file-upload-vulnerability for vendor patch announcements. If no patch is released promptly, consider replacing the Appointment theme with an alternative WordPress theme that provides similar functionality but maintains active security support. As an immediate workaround, restrict WordPress admin panel access to trusted IP addresses via web server configuration (.htaccess or nginx rules) and implement Web Application Firewall (WAF) rules to block suspicious file upload requests. Educate administrators to avoid clicking unknown links while logged into WordPress, and review wp-content/uploads and theme directories for recently modified PHP files that could indicate existing compromise. Monitor server logs for unusual file upload activity and POST requests to theme endpoints.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20262
GHSA-5rf8-xhgp-9mg9