How severe is CVE-2026-1405?

CVE-2026-1405 is rated critical severity with a CVSS score of 9.8 out of 10.

Is there a public proof-of-concept (PoC) for CVE-2026-1405?

Yes. Public exploit material exists via 1 GitHub PoC repository. See the references section for direct links. Treat all linked code as untrusted and use only in authorized, isolated lab environments.

What products are affected by CVE-2026-1405?

CVE-2026-1405 affects WordPress. Check vendor advisories for specific affected versions.

How do I fix CVE-2026-1405?

Apply the latest security patches from the vendor. If patching is not immediately possible, review the mitigation steps in this advisory and monitor for exploitation attempts.

Critical (9.8) Thursday, February 19, 2026

Wordpress Vulnerability (CVE-2026-1405) [PoC]

CVE-2026-1405

The Slider Future plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'slider_future_handle_image_upload' function in all versions up to, and includ...

Affected: WordPress

Overview

A critical security vulnerability has been identified in the Slider Future plugin for WordPress. The flaw allows any visitor to your website, without needing a password or user account, to upload malicious files directly to your web server. This poses an immediate and severe risk to any site using the affected plugin versions.

Vulnerability Details

The vulnerability exists within the plugin’s image upload function, which fails to properly check the type of files being submitted. In normal operation, this function should only accept standard image files (like JPG or PNG). Due to a lack of this essential validation, the function will accept any file type.

This includes executable script files, which an attacker can craft to take control of your website. The flaw is present in all versions of the Slider Future plugin up to and including version 1.0.5.

Potential Impact

The primary risk is Remote Code Execution (RCE). By uploading a malicious script, an attacker can potentially:

Gain full administrative control over your WordPress site.
Deface your website or inject malicious content.
Steal sensitive data, including customer information and database credentials.
Use your server to launch further attacks or distribute malware.
Disrupt your website’s operations.

Given that the attack requires no authentication (unauthenticated), it is trivial to exploit and is therefore rated as CRITICAL with a CVSS score of 9.8.

Remediation and Mitigation Steps

Immediate action is required to secure affected websites.

Update Immediately: The most important step is to update the Slider Future plugin to the latest available version (1.0.6 or higher) if the developer has released a patch. Check your WordPress admin dashboard under “Plugins.”
Disable if No Patch is Available: If an updated, patched version is not yet available, you must deactivate and completely delete the Slider Future plugin from your site as a temporary mitigation.
Investigate for Compromise: If your site was running a vulnerable version, assume it may have been compromised. Review your site’s files for recent, unfamiliar uploads (e.g., in the /wp-content/uploads/ directory) and check for unauthorized administrative users. Consider a full security scan using a reputable security plugin.
General Security Practice: Always keep all plugins, themes, and WordPress core updated to their latest versions. This is the single most effective practice to protect your site from known vulnerabilities.

CVE Identifier: CVE-2026-1405

Never miss a critical vulnerability

Get real-time security alerts delivered to your preferred platform.

Telegram LinkedIn Mastodon Bluesky

Public PoC References

Unverified third-party code

These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).

Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.

Repository	Stars	Last Push
Nxploited/CVE-2026-1405 Slider Future <= 1.0.5 - Unauthenticated Arbitrary File Upload	★ 4	2026-02-20

Showing 1 of 1 known references. Source: nomi-sec/PoC-in-GitHub.

Related Advisories

Critical (9.8) Mar 13

CVE-2026-3891

The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file type validation in the 'lkn_pix_for_woocommerce_c6_save_settings' ...

Critical (9.8) Feb 14

CVE-2026-1306

The midi-Synth plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type and file extension validation in the 'export' AJAX action in all versions up to, and including, 1.1...

Critical (9.8) Feb 11

CVE-2026-1357

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper...

Critical (9.8) Mar 5

CVE-2026-2599

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.7 via deserialization of untrusted input ...

Other WordPress Vulnerabilities

Critical (9.8) Mar 13

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient...