CVE-2026-1988

Name of the Vulnerable Software and Affected Versions Flexi Product Slider and Grid for WooCommerce plugin for WordPress versions up to and including 1.0.5

Description The software contains a Local File Inclusion issue due to insufficient sanitization or validation of the theme parameter within the flexipsg carousel shortcode. This allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary PHP files on the server by manipulating the theme parameter when creating posts with shortcodes. The vulnerability is a result of directly concatenating the theme parameter into a file path without proper security checks, enabling directory traversal.

Recommendations Versions prior to and including 1.0.5 should be updated.