CVE-2026-39465

Vulnerability

The Responsive Slider by MetaSlider plugin for WordPress versions up to and including 3.106.0 contains a remote code execution (RCE) vulnerability. The flaw resides in the editor functionality, allowing users with editor-level access to inject and execute arbitrary PHP code. The vulnerability is present in the plugin's slider management interface, where insufficient input validation and sanitization occur. [1]

Exploitation

An attacker must have a WordPress account with editor privileges or higher. The attacker can craft a malicious request to the plugin's editor endpoint, injecting PHP code that gets executed on the server. No additional user interaction is required beyond the attacker's own actions. The vulnerability is expected to be exploited in mass campaigns targeting thousands of sites. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the target server, potentially gaining backdoor access and full control over the WordPress site. This can lead to data theft, site defacement, malware distribution, and further compromise of the hosting environment. [1]

Mitigation

The vulnerability is fixed in version 3.107.0 of the plugin. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a virtual mitigation rule that blocks attacks until the update is applied. The vulnerability is listed as highly dangerous and expected to be exploited. [1]