{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1405", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-24T14:56:58.422Z", "datePublished": "2026-02-19T04:36:09.197Z", "dateUpdated": "2026-04-08T16:45:48.712Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:45:48.712Z"}, "affected": [{"vendor": "franchidesign", "product": "Slider Future", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Slider Future plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'slider_future_handle_image_upload' function in all versions up to, and including, 1.0.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "title": "Slider Future <= 1.0.5 - Unauthenticated Arbitrary File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/34b52ca2-c05f-49b7-846f-a67136d7d379?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/slider-future/tags/1.0.5/slider-future.php#L177"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "ZAST.AI"}], "timeline": [{"time": "2026-02-18T15:54:34.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T17:28:38.863898Z", "id": "CVE-2026-1405", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:38:32.984Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1405", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-19T17:28:38.863898Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:28:40.228Z"}}], "cna": {"title": "Slider Future <= 1.0.5 - Unauthenticated Arbitrary File Upload", "credits": [{"lang": "en", "type": "finder", "value": "ZAST.AI"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "franchidesign", "product": "Slider Future", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-18T15:54:34.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/34b52ca2-c05f-49b7-846f-a67136d7d379?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/slider-future/tags/1.0.5/slider-future.php#L177"}], "descriptions": [{"lang": "en", "value": "The Slider Future plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'slider_future_handle_image_upload' function in all versions up to, and including, 1.0.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:45:48.712Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1405", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:45:48.712Z", "dateReserved": "2026-01-24T14:56:58.422Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-19T04:36:09.197Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Slider Future plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'slider_future_handle_image_upload' function in all versions up to, and including, 1.0.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}, {"lang": "es", "value": "El plugin Slider Future para WordPress es vulnerable a la carga arbitraria de archivos debido a la falta de validaci\u00f3n del tipo de archivo en la funci\u00f3n 'slider_future_handle_image_upload' en todas las versiones hasta la 1.0.5, inclusive. Esto permite a atacantes no autenticados cargar archivos arbitrarios en el servidor del sitio afectado, lo que puede posibilitar la ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2026-1405", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-19T07:17:43.883", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/slider-future/tags/1.0.5/slider-future.php#L177"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/34b52ca2-c05f-49b7-846f-a67136d7d379?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Slider Future", "source": "cna", "vendor": "franchidesign"}, "product": "slider_future", "vendor": "franchidesign"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-21T23:44:24.440676+00:00", "value": {"mitigation_remediation": ["Upgrade Slider Future to a version above 1.0.5 or apply the vendor\u2011provided patch that validates uploaded file types", "If an update is not immediately available, configure the web server to reject uploads to the slider_future_handle_image_upload endpoint unless the requester holds administrator privileges", "Deploy a web application firewall rule or .htaccess rule that blocks execution of any uploaded files from the plugin\u2019s upload directory"], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Upload"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Slider Future plugin installed with a version of 1.0.5 or earlier. The affected product is franchidesign:Slider Future, which is widely available through the WordPress plugin repository.", "description_and_impact": "The Slider Future WordPress plugin allows an unauthenticated attacker to upload files without validating the file type, a weakness classified as CWE-434. The vulnerable function processes uploads in all releases up to version 1.0.5, permitting any file\u2014including executable scripts\u2014to be stored on the web server. The description indicates that uploading such scripts may lead to remote code execution, as it specifically says a remote code execution may be possible.", "risk_and_exploitability": "The vulnerability scores a CVSS of 9.8, indicating a critical risk level. An EPSS of 18% implies a moderate likelihood that exploit code has already appeared in the wild. Because the upload endpoint can be accessed by any user via a public URL and requires no authentication, the potential impact is global to the host. The vulnerability is not currently listed in the CISA KEV catalog, but the combination of high severity and an accessible upload endpoint makes it a prime target."}}}}, "created": "2026-02-19T10:07:19.355354+00:00", "updated": "2026-04-21T23:45:02.988332+00:00", "vendors": ["franchidesign", "franchidesign$PRODUCT$slider_future", "wordpress", "wordpress$PRODUCT$wordpress"]}