A high-severity local file inclusion (LFI) flaw in the Flexi Product Slider and Grid for WooCommerce plugin. The vulnerability affects all versions up to and including 1.0.5.
While no active exploitation has been observed yet, its potential for arbitrary code execution makes it a priority for patching.
At its core, the issue stems from improper handling of the theme parameter in the flexipsg_carousel shortcode. Developers at WPDecent failed to sanitize or validate this input before concatenating it directly into a file path.
This oversight enables directory traversal attacks, where attackers can manipulate the parameter to point to arbitrary files on the server.
For instance, a malicious shortcode [flexipsg_carousel theme=../../../wp-config.php] could include sensitive configuration files or, worse, executable PHP scripts.
Exploitation requires authenticated access at the Contributor level or higher, plus the ability to create posts containing shortcodes. On sites with collaborative editing workflows, this significantly lowers the bar.
An attacker could embed the tainted shortcode in a draft post, publish it, and trigger the inclusion during rendering.
The CVSS v3.1 base score of 7.5 (High) reflects this: network accessibility (AV: N), high attack complexity (AC: H) due to prerequisites, low privileges needed (PR:L), no user interaction (U I: N), and unchanged scope with high impacts on confidentiality, integrity, and availability (C:H/I:H/A: H).
| Vulnerability Details | Description |
|---|---|
| CVE ID | CVE-2026-1988 |
| Severity | High (CVSS 7.5) |
| Affected Product | Flexi Product Slider and Grid for WooCommerce |
| Affected Versions | ≤ 1.0.5 |
| CWE | CWE-98 (PHP Remote File Inclusion), CWE-22 (Path Traversal) |
| Attack Vector | Network (AV:N), Authenticated (PR:L) |
The vulnerable code appears in class-flexipsg-shortcode.php around line 82, where the theme value feeds straight into PHP’s include or require without checks.
Verify this in the plugin’s Trac repository for both trunk and the 1.0.5 tag. Once exploited, LFI could dump database credentials, execute shell commands, or pivot to a full server takeover, especially on e-commerce sites handling payments.
Who faces the biggest threat? Multi-author WordPress setups with WooCommerce, like blogs, stores, or media galleries, rely on contributor posts.
Open workflows amplify the risk, as low-priv users often craft content using shortcodes for product sliders. Automated attacks could chain this to credential stuffing or social engineering for initial access.
Detection isn’t straightforward but feasible. Scan server logs for shortcode-triggered PHP errors, anomalous 500s from include failures, or unusual file paths in access logs.
Watch for new PHP files in plugin directories after content publication, or spikes in 403/401 errors from authenticated sessions while fiddling with shortcodes. Tools like fail2ban or WAFs tuned for LFI patterns (e.g., ../ sequences) help, alongside monitoring PHP error logs for path resolution issues.
Mitigation demands swift action. Upgrade beyond 1.0.5 immediately. WPDecentt has likely issued a patch by now. In the interim, turn off the flexipsg_carousel shortcode via hooks, enforce strict sanitization on theme inputs (e.g., allowlist approved themes), and tighten file permissions to prevent PHP execution outside approved directories.
Revoke unnecessary Contributor rights, audit user-generated content, and deploy WAF rules that block traversal payloads; test changes in staging first to avoid disrupting sliders.
This flaw underscores a persistent PHP plugin pitfall: trusting shortcode params without validation. WordPress’s shortcode system empowers creators but exposes servers when devs skip basics like realpath() or basename checks.
Sites that ignore this could face rapid compromise, especially if attackers pair it with other WooCommerce vulnerabilities.
Site: cybersecuritypath.com
%20(1).webp "Technitium: Self-Hosted DNS Server for Enhanced Privacy and Security")
.webp "Cal.com’s Access Control Mess: How It Let Attackers Hijack Accounts and Dump Millions of Bookings")
