A critical arbitrary file upload vulnerability in the Slider Future WordPress plugin allows unauthenticated attackers to upload malicious scripts and execute code remotely.

The slider_future_handle_image_upload function lacks proper file type validation. This allows an unauthenticated attacker to upload arbitrary files, including PHP scripts, to the server and execute them.

The ability to upload and execute arbitrary files leads to a complete server compromise. Attackers can deface the website, exfiltrate sensitive data, or use the server as a jumping-off point for internal network attacks. The CVSS score of 9.8 reflects the high severity of unauthenticated RCE.

Immediate Action: Update the Slider Future plugin to the latest version immediately to implement proper file validation.

Proactive Monitoring: Check the plugin's upload directories for any files with executable extensions (e.g., .php, .phtml, .exe) that do not belong.

Compensating Controls: Configure the web server to prevent the execution of scripts within the uploads directory using .htaccess or server configuration files.

Public Exploit Available: No

Given the direct path to RCE, this vulnerability requires immediate attention. Organizations should apply the update and verify that their web server configuration prevents script execution in public upload folders.