CVE-2026-1988 identifies a Local File Inclusion vulnerability in the wpdecent Flexi Product Slider and Grid for WooCommerce plugin for WordPress, present in all versions up to 1.0.5. The vulnerability stems from the 'theme' parameter in the flexipsg_carousel shortcode being directly concatenated into a file path without proper input validation or sanitization, enabling directory traversal attacks. Authenticated users with Contributor-level permissions or higher can exploit this by creating posts containing malicious shortcodes that manipulate the 'theme' parameter to include arbitrary PHP files from the server. This can lead to remote code execution, allowing attackers to execute arbitrary code with the web server's privileges. The vulnerability does not require user interaction beyond the attacker's own actions and has a CVSS 3.1 base score of 7.5, indicating high severity. The attack vector is network-based, but the complexity is high due to the need for authenticated access and crafting of malicious shortcodes. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is categorized under CWE-98, which covers improper control of filename for include/require statements in PHP programs, a common cause of remote file inclusion and code execution vulnerabilities in PHP-based applications.

The impact of CVE-2026-1988 is significant for organizations running WordPress sites with the vulnerable Flexi Product Slider and Grid for WooCommerce plugin. Successful exploitation allows attackers with low-level authenticated access (Contributor or higher) to execute arbitrary PHP code on the server, potentially leading to full site compromise, data theft, defacement, or pivoting to internal networks. This threatens confidentiality by exposing sensitive data, integrity by allowing unauthorized code execution and content modification, and availability by enabling denial-of-service or backdoor installation. The requirement for authenticated access limits exposure to some extent but does not eliminate risk, especially in environments with many contributors or weak access controls. E-commerce sites using WooCommerce are particularly at risk due to the plugin's integration, potentially impacting customer data and transaction integrity. The lack of known exploits in the wild suggests limited active exploitation currently, but the vulnerability's nature makes it a prime target for attackers once weaponized. Organizations worldwide with WordPress e-commerce deployments should consider this a high-priority risk.

To mitigate CVE-2026-1988, organizations should immediately audit their WordPress installations for the presence of the Flexi Product Slider and Grid for WooCommerce plugin and verify the version in use. Since no official patch links are provided, administrators should consider the following steps: 1) Temporarily disable or remove the vulnerable plugin until a vendor patch is released. 2) Restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious shortcode insertion. 3) Implement Web Application Firewall (WAF) rules to detect and block attempts to exploit the 'theme' parameter in the flexipsg_carousel shortcode, focusing on directory traversal patterns. 4) Monitor logs for unusual shortcode usage or file inclusion attempts. 5) Harden PHP configurations to disable dangerous functions and restrict file inclusion paths where possible. 6) Educate content creators on secure shortcode usage and the risks of including untrusted code. 7) Once a vendor patch is available, apply it promptly and verify the fix. These targeted actions go beyond generic advice by focusing on access control, monitoring, and temporary plugin management to reduce attack surface.