CVE-2026-1405

Critical

Published: 19 February 2026

Published

19 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.1871 95.3th percentile

Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Description

The Slider Future plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'slider_future_handle_image_upload' function in all versions up to, and including, 1.0.5. This makes it possible for unauthenticated attackers to upload arbitrary…

files on the affected site's server which may make remote code execution possible.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly enforces validation of information inputs such as file types during uploads, addressing the missing file type validation in the slider_future_handle_image_upload function.

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and correction of flaws like this arbitrary file upload vulnerability through timely plugin updates or removal.

SI-3 Malicious Code Protection partial match

preventdetect

Implements malicious code protection mechanisms to scan for and block dangerous files uploaded via the vulnerability, preventing or detecting potential remote code execution.

Security SummaryAI

CVE-2026-1405 is an arbitrary file upload vulnerability in the Slider Future plugin for WordPress, affecting all versions up to and including 1.0.5. The flaw arises from missing file type validation in the `slider_future_handle_image_upload` function, allowing attackers to upload arbitrary files to the affected site's server. Published on 2026-02-19, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction. By sending crafted requests to the upload endpoint, they can place malicious files on the server, potentially enabling remote code execution depending on server configuration and file types permitted by PHP or hosting restrictions.

Advisories, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/34b52ca2-c05f-49b7-846f-a67136d7d379?source=cve and the plugin source code at https://plugins.trac.wordpress.org/browser/slider-future/tags/1.0.5/slider-future.php#L177, provide details on the issue, including the exact code location for analysis and potential mitigation through plugin updates or removal if no patch is available.

Details

CWE(s): CWE-434

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Arbitrary file upload in public-facing WordPress plugin enables exploitation of public-facing application (T1190) and facilitates deployment of web shells for RCE (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/browser/slider-future/tags/1.0.5/slider-future.php#L177
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/34b52ca2-c05f-49b7-846f-a67136d7d379?source=cve
security@wordfence.com