Alert: Unauthenticated Arbitrary File Upload leading to RCE.
ZAST engine has identified a critical-severity vulnerability, CVE-2026-1405 (CVSS 9.8), in the Slider Future WordPress plugin. This flaw allows for Unrestricted Arbitrary File Upload, leading to full Remote Code Execution (RCE).

Key Technical Findings:
- Vulnerability: Unauthenticated Arbitrary File Upload to RCE
- Project Popularity: 1,000+ active installations.
- Verification: 100% verified via Autonomous PoC generation.

The vulnerability stems from a lack of authentication on the /wp-json/slider-future/v1/upload-image/ endpoint and a total absence of file type or content validation before writing to disk.

We have verified that an attacker can upload a malicious PHP script and gain control of the host server in seconds.

Check detail here:https://www.cve.org/CVERecord?id=CVE-2026-1405

@wordpress@lemmy.world @WordPress@mastodon.world @wordfence

#AppSec #ZAST #VulnerabilityResearch #WordPress #RCE

Our AI Agent recently audited Slider Future (1,000+ active installations) and identified a critical Unauthenticated RCE, now designated as CVE-2026-1405.

While pattern-matching approaches are effective at identifying broad code signatures, this specific vulnerability resides in the logical flow of the REST API.

The endpoint /upload-image/ allows unauthenticated access because the permission_callback is set to __return_true.

Check detail here:https://www.cve.org/CVERecord?id=CVE-2026-1405

@wordpress@lemmy.world @WordPress@mastodon.world @wordfence

#AppSec #ZAST #VulnerabilityResearch #WordPress #RCE

I've loved Elementor for so long. It's the page builder that I default to most of the time when I'm building sites for my clients at my agency. But lately it's gotten so bloated and hard to use.

Has anyone else noticed this?

I've build a few with the native block editor and I'm liking where that's finally heading.

Thought this was an interesting piece from WP Beginner. Granted it might be a bit bias being that the site is a WP site. But, I've seen these #'s elsewhere as well.

cross-posted from: https://lemmy.world/post/41972137

I've been a bit short sighted. I set up my WordPress instance on a server with... Not a huge amount of space. A year or so later, and now I'm running out. I have another server which I could serve files from, and it's got loads of space. Is there a way that I could get the Wordpress media library to just... Serve and upload from that one instead? Preferably migrate it there as well.

Too many people I find online get some sort of yuppie answer like an expensive plug-in with an Amazon CDN subscription. I just want to homebrew this. I don't intend to host the major site assets for the site structure on it, and I'm fine with images taking a little longer to load.

What is the easiest way to add a row in a acf repeater field from the front end? It is important that users cannot edit or delete other rows. I am struggling to find a way. One of the fields in repeater is an image.

https://salvatorenoschese.it/abbreviation-button-mu-per-gutenberg-guida-rapida/

#wordpress #plugin #WordpressDevelopment

@wp_ita @wordpress

I was sick of always fighting with WordPress to get a local set up to develop a plug-in or update the theme for a client, so I made a dev container.

As per the README, this supports:

• Automatic database dump import and site URL rename
• Automatic WordPress theme and plug-in loading from .zip, wpackagist or directory
• Mounting of a user-provided uploads directory

It also means your IDE automatically gets access to a WordPress installation for easy auto complete of WordPress functions and features when writing PHP code.

Theoretically, it can also easily be converted into a normal container if you don't use VSCode by setting up /workspace as a mount. Dev containers are unfortunately a bit broken with JetBrains products, and this container will not launch.

Contributions welcome!

Hello, I'd really like to post automatically from my website to Lemmy, do you happen to know any guide or plugin or whatever to achieve such goal?

I already use the Activity Pub plugin to post my website posts on Mastodon. I guess being in the fediverse it shouldn't be hard to have those posts here on Lemmy as well, am I wrong?

Thank you Marco

Matt Mullenweg went on The Verge's Decoder podcast at the end of June. Pretty enlightening. Also Tumblr isn't coming to the fediverse anytime soon. Bah!

I want to redesign my personal site around two things:

1 - Home page will be a personal landing page, like those “link in bio” tools to show people where you have accounts on social media, newsletters, etc. (such as https://bio.link/. I can share a basic personal page I’ve set up there but I don’t know if that’s allowed here)

2 - A decent blog experience, mainly for writing, sharing news links, and art I like (both personal and found)

Anyone know of a theme that tackles these two? I’m coming up empty handed with ThemeForest and Template Monster, even when trying variations of these keywords.

Thanks

I am not much old on lemmy and l have a lot of questions. Please don't assume me to be an AI 😊😊😊

My boss thinks it's very cute to talk about AI as much as possible, and today asked if I'd heard of "vibe coding". I said yeah, and explained to my coworker that it's where you get a chatbot to write all your code.

My boss has just announced that he's vibe coding. I know the project he's working on. It took us months to put that codebase together, and there are a lot of very complex functions and plugins in that site that we've written to integrate with all the systems our client needs the site to use.

What am I supposed to do here? He's just letting a chatbot go rogue on the codebase. Do I just leave him to it with the full knowledge that it'll fall on me and my colleague to repair all this damage, presumably while being accused of breaking the site in the first place? I need the money from this job so unfortunately leaving isn't an option at this stage.

It has been long in the coming (Oracle bought Sun and MySQL over 15 years ago), but seems WordPress is finally at the point where MariaDB popularity surpassed MySQL as shown by stats at https://wordpress.org/about/stats/.

The share of MySQL 8.4 users is oddly low, just 0.1 %. One would think it would still be at least 1% or something..

Hello! I am searching for a table Wordpress plug-in. But I would like to have a global table, and on single post displayed only lines associated with the exact post. Association can be done by a category or acf. Is there any plug-in with this option?

I'm new to WordPress and i've just managed to create a local site using bedrock running inside docker.

Are their any goods books/texts recommended for professional wordpress setup and development? My impression is that the titles I'm able to find online are out of date or of questionable relevance. Any ideas? Thanks a lot for your help!

Hi, I'm an experienced webdev but new to wordpress and was asked to build a maintainable webpage for a hobbyist group.
In the future they want to be able to maintain as much as possible themselves and for the remainder search for as broad a range of web-devs as possible.
Due to that I found it reasonable that they specifically requested I use wordpress, but they also requested elementor and astra.

Taking basically one long look at these I threw both of them out immediately and have been using a basic theme (twentytwentyfour) and no plugins so far.
My contact however keeps insisting "all the tutorials use astra/elementor" or variations thereof, so just to cover my bases here,
What is the community consensus on astra/elementor?
What plugins themes would you recommend for such a situation?

The page has a bunch of static text-pages, a somewhat complex page-frame (with top and sidemenus) and a few "article pages" (Where later maintainers can easily create "posts" i.e. subpages).
Running costs are unacceptable and I would very much like to avoid one-time costs.

Solution was to addtouch-action: auto !important; to the CSS!

Hi! I am the webmaster for my wordpress site, fusil.uk.

(Can also be viewed on some lemmy instances! !desk@fusil.uk and my other account is @xander@fusil.uk)

I have been trying to fix a problem where text links within anchor tags aren't clickable on mobile. If I set the browser to responsive mode on chromium, they aren't clickable either, regardless of resolution.

I have been trying to adjust anchor tags z indexes, checked several times to see if there were overlapping divs, etc, and yet to find a solution. It also affects my sub pages.

The closest I have gotten is that deleting the global-styles-inline-css fixes the problem, but obviously ruins the graphical aspect of my site. Changing the style doesn't fix it, but changing the entire theme does. Obviously, I want my theme to work.

Hovering over the link in responsive mode on the browser shows the url interestingly, but clicking has no effect.

My parent theme is twentytwentyfour and it should be up to date.

Any help is appreciated! Thank you!

original link: https://x.com/mehbubrashid/status/1897785740010176834

Matt Mullenweg has a huge chip on his shoulder that HE PUT THERE. He's taking it out on his top contributors.

Joost has nothing but the best interest at heart for the WordPress community. I would exactly say Mullenweg Silenced Joost, it's not like he killed him or anything, but he's not letting him speak at WC Asia.

I think Matt has gone off the deep end here and its' concerning beyond belief.

We really need to wrangle control of the project out of his hands.

I want to show a bunch of previews of websites on one page on a grid. The visual link preview addon just grabs an image from the page and the tagline, it doesnt actually show a site preview. Wpmains grid view of sites is a great example of what I want in the image. (Ik I can just take screenshots and get this done in minutes, I was hoping there was some dynamic addon that is easy to update)

By site preview I mean a literal preview of the website, thought that was obvious but the only adddon I've found for this purpose definitely doesn't do that.