Appointment <= 3.5.5 allows attackers to upload malicious files to the server

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

Appointment <= 3.5.5 allows attackers to upload malicious files to the server

CVE-2026-39620

Summary

A security weakness in Appointment software allows hackers to upload unauthorized files to a web server. This could lead to the server being taken over or used to spread malware. Update to Appointment 3.5.6 or later to fix this issue.

Original title

Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Appointment appointment allows Upload a Web Shell to a Web Server.This issue affects Appointment: from n/a through <= 3.5.5.

Original description

Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Appointment appointment allows Upload a Web Shell to a Web Server.This issue affects Appointment: from n/a through <= 3.5.5.

Vulnerability type

CWE-352 Cross-Site Request Forgery (CSRF)

https://patchstack.com/database/Wordpress/Theme/appointment/vulnerability/wordpr...

Published: 8 Apr 2026 · Updated: 9 Apr 2026 · First seen: 8 Apr 2026