Add vpatch-CVE-2026-1405 rule and test

[crowdsec-automation]

This rule detects exploitation attempts against the WordPress Slider Future plugin's unauthenticated file upload vulnerability (CVE-2026-1405). The attack is performed by sending a POST request to the /wp-json/slider-future/v1/upload-image/ endpoint with a JSON body containing an image_url parameter pointing to an attacker-controlled URL.

• The first rule condition matches requests to the vulnerable endpoint by checking if the URI contains /wp-json/slider-future/v1/upload-image/, using a lowercase transform for case insensitivity.
• The second rule condition inspects the JSON body argument image_url (using the json. prefix as per guidelines for JSON content) and checks if it contains the string http, indicating an external URL is being supplied for upload. Both lowercase and urldecode transforms are applied to ensure normalization and robust detection.
• The rule avoids false positives by tightly scoping to the specific endpoint and parameter involved in the exploit.

All value: fields are lowercase, transforms include lowercase where applicable, and contains is used for matching as per best practices. No regex is used where a simple substring match suffices.

[github-actions]

Hello @crowdsec-automation and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2026-1405 🔴

[github-actions]

Hello @crowdsec-automation and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

• labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

• labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

• labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

• labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

• labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

• labels not found

Mitre ATT&CK

Information about mitre attack can be found here.
As an example, some common mitre attack techniques:

• T1110 for bruteforce attacks
• T1595 and T1190 for exploitation of public vulnerabilities
• T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.