The Slider Future WordPress plugin (versions 1.0.5 and below) carries CVE-2026-1405 (CVSS 9.8, CISA KEV-listed, EPSS 95th percentile), an unauthenticated arbitrary file upload vulnerability that enables direct web shell deployment and full server RCE. Active exploitation is confirmed by both CISA and VulnCheck KEV. Organizations should immediately disable or remove the plugin from all WordPress installations, scan upload directories for web shells, and upgrade to a patched version when available. Public proof-of-concept code lowers the exploitation barrier significantly.