The Slider Future plugin for WordPress is vulnerable to arbitrary file uploads, allowing attackers to upload malicious files, including PHP shells, without authentication. Versions up to 1.0.5 are affected.
Vulnerability Details:
- Component: Slider Future (WordPress plugin)
- Affected Versions: ≤ 1.0.5
- CVE: CVE-2026-1405
- CVSS Score: 9.8 (Critical)
Exploitation occurs via the slider_future_handle_image_upload function, which lacks file type validation, enabling remote code execution.
Mitigation:
- Update the plugin to the latest version if available.
- Restrict upload directory access if an update isn’t available.
Secure your WordPress site!