Skip to main content
Mallory
Back to vulnerabilities
CriticalPublic exploit

Unauthenticated Arbitrary File Upload in WordPress Slider Future Plugin

IdentifiersCVE-2026-1405CWE-434· Unrestricted Upload of File with…

CVE-2026-1405 is an unauthenticated arbitrary file upload vulnerability in the Slider Future WordPress plugin by franchidesign, affecting all versions up to and including 1.0.5. According to the provided content, the issue is caused by missing file type validation in the plugin function 'slider_future_handle_image_upload'. The vulnerable functionality is exposed through the WordPress REST API endpoint '/wp-json/slider-future/v1/upload-image/', which accepts a POST request with an 'image_url' parameter and processes it without authentication. The supplied material indicates the endpoint will fetch attacker-controlled remote content and store it under the WordPress uploads directory, exposing both a public uploads URL and a filesystem path in the JSON response. Because file type validation is absent, an attacker may be able to cause arbitrary files to be uploaded to the server, which can lead to code execution if executable content is accepted and reachable.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated attacker to upload arbitrary files to the affected WordPress server. Depending on server configuration, file handling, and whether uploaded content can be executed from the target path, this may result in remote code execution, webshell deployment, full site compromise, persistence, and follow-on activity such as credential theft or lateral movement within the hosting environment. Even where direct code execution is not achieved, arbitrary file placement in a web-accessible uploads directory can still enable defacement, malware staging, or abuse of server-side fetch behavior.

Mitigation

If you can’t patch tonight, do this now.

Until a patched version is deployed, disable or deactivate the Slider Future plugin. Restrict access to '/wp-json/slider-future/v1/upload-image/' using WAF, reverse proxy, or web server rules. Prevent execution of PHP and other executable content from 'wp-content/uploads' and any plugin-controlled upload paths. Monitor for unexpected file creation in web-accessible directories and for suspicious requests to the vulnerable REST endpoint. Where possible, add detection for outbound fetches triggered by attacker-supplied 'image_url' values and block untrusted remote retrieval behavior.

Remediation

Patch, then assume compromise.

Upgrade the Slider Future plugin to a version newer than 1.0.5 if a patched release is available. If no fixed version is available, remove or deactivate the plugin from production systems. Review the vulnerable endpoint implementation and ensure strict server-side validation of allowed file types, content types, and file extensions, and require appropriate authorization for upload functionality. After remediation, inspect the WordPress uploads directory and related paths for unauthorized files, including potential webshells or other attacker-supplied content, and rotate credentials if compromise is suspected.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).

VALID 1 / 2 TOTALView more in app
CVE-2026-1405MaturityPoCVerified exploit

Repository contains a single Python3 exploit tool (`CVE-2026-1405.py`) plus README, LICENSE, and `requirements.txt` (requests, rich). The script is a mass exploitation utility for CVE-2026-1405 affecting the WordPress Slider Future plugin (<= 1.0.5), leveraging an unauthenticated arbitrary file upload via the REST endpoint `/wp-json/slider-future/v1/upload-image/`. Core behavior: - Reads a list of target base URLs from a user-supplied file (default `list.txt`) and normalizes them (adds http:// if missing). - For each target, sends a POST request to `TARGET + /wp-json/slider-future/v1/upload-image/` with form data `image_url=<attacker_shell_url>`. - Parses the response (JSON or regex) to extract a returned `url` field that should point to the uploaded file on the victim. - Verifies exploitation by issuing a GET request to the extracted URL and checking for HTTP 200 and an operator-provided signature string in the response body. - Runs concurrently using `ThreadPoolExecutor` (default 10 threads) and writes verified successes to `success_results.txt`. Notable implementation details: - Disables TLS verification (`verify=False`) and suppresses urllib3 warnings. - Sets `NO_PROXY='*'` to avoid proxy use. - Uses a distinctive User-Agent string: `NxploitedScanner/1.1 (+https://github.com/Nxploited)`. Overall purpose: operational mass uploader/validator intended to plant a PHP webshell (hosted externally by the operator) onto vulnerable WordPress sites, enabling follow-on remote code execution via the uploaded shell.

NxploitedDisclosed Feb 20, 2026pythonnetwork
ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app
nuclei templates pull requestsNews
Mar 23, 2026
Create CVE-2026-1405.yaml by pussycat0x · Pull Request #15662 · projectdiscovery/nuclei-templates · GitHub

A critical vulnerability in a WordPress endpoint (/wp-json/slider-future/v1/upload-image/) that appears to allow server-side request forgery (SSRF), as demonstrated by an outbound DNS interaction to an OAST domain.

Read more
nuclei templates pull requestsNews
Feb 23, 2026
Add CVE-2026-1405: WordPress Slider Future Unauthenticated File Upload by optimus-fulcria · Pull Request #15467 · projectdiscovery/nuclei-templates · GitHub

An unauthenticated arbitrary file upload / server-side remote file fetch issue in the WordPress Slider Future plugin (<= 1.0.5) via a REST API endpoint that accepts an attacker-controlled image_url without authentication or validation, enabling server-side fetching and potentially leading to malicious file upload/placement depending on implementation.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity9

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-1405
NVD
nvd.nist.gov/vuln/detail/CVE-2026-1405
MITRE CWE · CWE-434
Unrestricted Upload of File with Dangerous Type
plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/slider-future/tags/1.0.5/slider-future.php
wordfence.com
wordfence.com/threat-intel/vulnerabilities/id/34b52ca2-c05f-49b7-846f-a67136d7d379?source=cve