Vulnerability detail
Enriched intelligence for a single CVE
Critical
CVE-2026-1405
PUBLISHEDSlider Future <= 1.0.5 - Unauthenticated Arbitrary File Upload
- Vendor
- franchidesign
- Product
- Slider Future
- Published
- Feb 19, 2026
- EPSS
- 20.5% · 96% pctl
Automate this intelligence with the Pro API
Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot sensor data — is available programmatically for VM, SOC, and CTI workflows.
Description
The Slider Future plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'slider_future_handle_image_upload' function in all versions up to, and including, 1.0.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Weaknesses (CWE)
-
Unrestricted Upload of File with Dangerous Type
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation status
Exploited in the wild
Recorded 2026-06-07 00:00:00 UTC · The Shadowserver (via CIRCL)
Proof of concept available
Recorded 2026-02-20 22:12:03 UTC · GitHub
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| The Shadowserver (via CIRCL) First | 2026-06-07 00:00 UTC |
Scanner integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-1405.yaml | Jun 01, 2026 |
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2026-02-20 22:12:03 UTC · 5 stars
Slider Future <= 1.0.5 - Unauthenticated Arbitrary File Upload
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Proof of Concept Exploit Available
-
Detected by Nuclei
-
Added to KEVIntel