How is CVE-2026-39465 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP or HTTPS. Authentication (required): An admin or similarly high-privileged WordPress account is needed to trigger the vulnerable code path. Victim interaction (not-required): No action from another user or victim is needed; the attacker drives the exploit entirely without social engineering. Attack complexity (info): Exploit conditions are reliable and require no special timing, race conditions, or environmental setup beyond holding the required credentials.

What is the impact of CVE-2026-39465?

Attacker executes arbitrary operating system commands on the web server hosting the WordPress installation. All data stored in the WordPress database, including user credentials, session tokens, and site content, becomes readable. Attacker can write, modify, or delete files on the server, including WordPress core files, plugin code, and uploaded media. The underlying service can be crashed or rendered unavailable, taking down all sites hosted on the same server instance.

Back to search

CRITICALCVE-2026-39465Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-39465: WordPress Responsive Slider by MetaSlider plugin <= 3.106.0 - Remote Code Execution (RCE) vulnerability

Q: What is CVE-2026-39465?

A remote code execution vulnerability exists in the Responsive Slider by MetaSlider WordPress plugin at versions 3.106.0 and below. The flaw is reachable over the network and requires a high-privilege account, such as an administrator, but once authenticated an attacker can execute arbitrary code on the server. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected host, including any data it processes. No fix version has been published; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as upstream ships a fix.

Q: Is CVE-2026-39465 patched?

Because no fix version has been published, HarborGuard re-checks the advisory on each ingest cycle and will make a patched-image rebuild available automatically the moment upstream releases a remediated version. For customers with auto-remediation enabled, the rebuild, regression test run, and a PR opened against affected workloads will follow without manual intervention once the fix ships.

Editor Remote Code Execution (RCE) in Responsive Slider by MetaSlider <= 3.106.0 versions.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A remote code execution vulnerability exists in the Responsive Slider by MetaSlider WordPress plugin at versions 3.106.0 and below. The flaw is reachable over the network and requires a high-privilege account, such as an administrator, but once authenticated an attacker can execute arbitrary code on the server. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected host, including any data it processes. No fix version has been published; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory, within minutes of publication and matched against customer images in connected registries and CI pipelines. This matching covers custom-built images that bundle the MetaSlider plugin alongside WordPress.

Available

Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 9.1 (Critical) and applies per-environment compliance policy weighting to determine urgency tier and route alerts to the appropriate team inbox within each customer organization.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the advisory on each ingest cycle and will make a patched-image rebuild available automatically the moment upstream releases a remediated version. For customers with auto-remediation enabled, the rebuild, regression test run, and a PR opened against affected workloads will follow without manual intervention once the fix ships.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
AuthenticationRequired
An admin or similarly high-privileged WordPress account is needed to trigger the vulnerable code path.
Victim interactionNot required
No action from another user or victim is needed; the attacker drives the exploit entirely without social engineering.
Attack complexityDetail
Exploit conditions are reliable and require no special timing, race conditions, or environmental setup beyond holding the required credentials.

Blast Radius

Attacker executes arbitrary operating system commands on the web server hosting the WordPress installation.
All data stored in the WordPress database, including user credentials, session tokens, and site content, becomes readable.
Attacker can write, modify, or delete files on the server, including WordPress core files, plugin code, and uploaded media.
The underlying service can be crashed or rendered unavailable, taking down all sites hosted on the same server instance.

How HarborGuard Handles This

Available on HarborGuard: detection against customer images is active now, matching any image that ships the MetaSlider plugin at an affected version. Because no upstream fix exists yet, compensating controls are the primary response path while waiting for a patch. Customers should consider isolating WordPress containers behind a strict network policy that limits inbound access to trusted IP ranges, disabling the MetaSlider plugin entirely on instances where slider functionality is not required, and auditing administrator-level accounts to reduce the pool of credentials that could be leveraged. HarborGuard monitors the Patchstack advisory on every ingest cycle; the moment a fix version is published, a patched-image rebuild becomes available, and for customers with auto-remediation enabled the full rebuild-regression-PR flow kicks off automatically, targeting a median time from CVE publication to merged patch PR of around 90 minutes for Critical-severity issues once a fix is available.

See how HarborGuard automates this

Affected packages

MetaSlider / Responsive Slider by MetaSlider
≤ 3.106.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified