{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1988", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-05T15:16:04.703Z", "datePublished": "2026-02-14T06:42:37.658Z", "dateUpdated": "2026-04-08T17:35:25.316Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:35:25.316Z"}, "affected": [{"vendor": "wpdecent", "product": "Flexi Product Slider and Grid for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Flexi Product Slider and Grid for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.5 via the `flexipsg_carousel` shortcode. This is due to the `theme` parameter being directly concatenated into a file path without proper sanitization or validation, allowing directory traversal. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server via the `theme` parameter granted they can create posts with shortcodes."}], "title": "Flexi Product Slider and Grid for WooCommerce <= 1.0.5 - Authenticated (Contributor+) Local File Inclusion via 'theme' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ffdd5446-5835-4976-b764-9b5c75251438?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/flexi-product-slider-grid/trunk/includes/class-flexipsg-shortcode.php#L82"}, {"url": "https://plugins.trac.wordpress.org/browser/flexi-product-slider-grid/tags/1.0.5/includes/class-flexipsg-shortcode.php#L82"}, {"url": "https://cwe.mitre.org/data/definitions/98.html"}, {"url": "https://cwe.mitre.org/data/definitions/22.html"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "cweId": "CWE-98", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-02-13T18:20:45.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T15:38:22.756022Z", "id": "CVE-2026-1988", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:45:03.884Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1988", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-17T15:38:22.756022Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:38:28.305Z"}}], "cna": {"title": "Flexi Product Slider and Grid for WooCommerce <= 1.0.5 - Authenticated (Contributor+) Local File Inclusion via 'theme' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "wpdecent", "product": "Flexi Product Slider and Grid for WooCommerce", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-13T18:20:45.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ffdd5446-5835-4976-b764-9b5c75251438?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/flexi-product-slider-grid/trunk/includes/class-flexipsg-shortcode.php#L82"}, {"url": "https://plugins.trac.wordpress.org/browser/flexi-product-slider-grid/tags/1.0.5/includes/class-flexipsg-shortcode.php#L82"}, {"url": "https://cwe.mitre.org/data/definitions/98.html"}, {"url": "https://cwe.mitre.org/data/definitions/22.html"}], "descriptions": [{"lang": "en", "value": "The Flexi Product Slider and Grid for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.5 via the `flexipsg_carousel` shortcode. This is due to the `theme` parameter being directly concatenated into a file path without proper sanitization or validation, allowing directory traversal. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server via the `theme` parameter granted they can create posts with shortcodes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-14T06:42:37.658Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1988", "state": "PUBLISHED", "dateUpdated": "2026-02-17T15:45:03.884Z", "dateReserved": "2026-02-05T15:16:04.703Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-14T06:42:37.658Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Flexi Product Slider and Grid for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.5 via the `flexipsg_carousel` shortcode. This is due to the `theme` parameter being directly concatenated into a file path without proper sanitization or validation, allowing directory traversal. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server via the `theme` parameter granted they can create posts with shortcodes."}, {"lang": "es", "value": "El plugin Flexi Product Slider y Grid para WooCommerce para WordPress es vulnerable a la inclusi\u00f3n local de ficheros en todas las versiones hasta la 1.0.5, inclusive, a trav\u00e9s del shortcode 'flexipsg_carousel'. Esto se debe a que el par\u00e1metro 'theme' se concatena directamente en una ruta de fichero sin una sanitizaci\u00f3n o validaci\u00f3n adecuadas, lo que permite el salto de directorio. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, incluyan y ejecuten ficheros PHP arbitrarios en el servidor a trav\u00e9s del par\u00e1metro 'theme' siempre que puedan crear publicaciones con shortcodes."}], "id": "CVE-2026-1988", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-14T07:16:12.670", "references": [{"source": "security@wordfence.com", "url": "https://cwe.mitre.org/data/definitions/22.html"}, {"source": "security@wordfence.com", "url": "https://cwe.mitre.org/data/definitions/98.html"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/flexi-product-slider-grid/tags/1.0.5/includes/class-flexipsg-shortcode.php#L82"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/flexi-product-slider-grid/trunk/includes/class-flexipsg-shortcode.php#L82"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ffdd5446-5835-4976-b764-9b5c75251438?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.5]"}}], "product": "flexi_product_slider_and_grid_for_woocommerce", "vendor": "wpdecent"}], "analysis": {"en": {"generated_at": "2026-04-15T18:24:19.898542+00:00", "value": {"mitigation_remediation": ["Update the plugin to the latest available version where the theme attribute input is properly validated.", "If a patch is not immediately available, remove or disable the flexipsg_carousel shortcode for contributors and restrict post creation to administrators only.", "Apply file system permissions that prevent PHP execution of arbitrary paths, and configure a web application firewall to block directory traversal patterns in shortcode attributes."], "summary": {"action": "Apply Patch", "impact": "Local File Inclusion (LFI) via the theme shortcode attribute"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Flexi Product Slider and Grid for WooCommerce plugin provided by wpdecent. All versions 1.0.5 or earlier are susceptible. Users of the plugin in any WordPress setup that allows contributors to create or edit posts carrying shortcodes are affected.", "description_and_impact": "The Flexi Product Slider and Grid for WooCommerce plugin allows a local file inclusion vulnerability in all releases up to and including 1.0.5. The flaw is caused by the theme attribute of the flexipsg_carousel shortcode being concatenated into a file path without sanitization or validation, enabling an authenticated user with Contributor role or higher to supply arbitrary paths. If exploited, the attacker can read or execute any PHP file present on the server, potentially compromising the integrity and confidentiality of the WordPress installation and any data it hosts.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.5, indicating high severity, but the EPSS score is below 1%, suggesting a low probability of exploitation at present. It is not listed in the CISA KEV catalog. Exploitation requires authenticated access at least at the contributor level and the ability to inject the flexipsg_carousel shortcode into a post. Attackers could therefore target sites where contributors have been granted posting privileges, creating a malicious post that includes the forged theme path to include and run arbitrary PHP code."}}}}, "created": "2026-02-16T12:01:58.886459+00:00", "updated": "2026-04-15T18:30:10.941946+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpdecent", "wpdecent$PRODUCT$flexi_product_slider_and_grid_for_woocommerce"]}