CVE-2026-1405 (CVSS 9.8, CISA KEV confirmed, priority 0.85) is a critical unauthenticated file upload vulnerability in the WordPress Slider Future plugin affecting all versions through 1.0.5, allowing any external attacker to upload PHP web shells and achieve remote code execution without credentials. EPSS at the 95th percentile and CISA KEV confirmation indicate active exploitation with automated tooling in the wild. Organizations should immediately disable or remove the Slider Future plugin from all WordPress installations, audit /wp-content/uploads/ for unauthorized PHP files, and update to a version above 1.0.5 if a patched release is available from the WordPress plugin repository.