CVE-2026-1405
Arbitrary File Upload in Slider Future Plugin Enables RCE
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| slider_future | slider_future | to 1.0.5 (inc) |
| slider_future | slider_future_plugin | to 1.0.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Slider Future plugin for WordPress has a vulnerability in its 'slider_future_handle_image_upload' function where it does not properly validate the type of files being uploaded. This flaw exists in all versions up to and including 1.0.5.
Because of this missing file type validation, an unauthenticated attacker can upload arbitrary files to the server hosting the affected WordPress site.
This arbitrary file upload can potentially lead to remote code execution on the server.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including allowing attackers to upload malicious files without authentication.
Such unauthorized file uploads can lead to remote code execution, meaning attackers could run arbitrary code on your server.
This could result in full compromise of the affected website, data breaches, defacement, or use of the server for further attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know