How to fix CVE-2026-1988?

Within 24 hours: Inventory all WordPress instances using this plugin and disable the plugin immediately on affected sites. Within 7 days: Audit user access logs for suspicious activity from contributor-level accounts, review file integrity for unauthorized PHP execution, and evaluate alternative slider plugins. Within 30 days: Implement application-level access controls restricting the shortcode usage, deploy Web Application Firewall rules blocking directory traversal patterns in the theme parameter, and establish a formal plugin management policy requiring vendor security patch availability before deployment.

Is PHP affected by CVE-2026-1988?

A high-severity vulnerability in the Flexi Product Slider and Grid for WooCommerce plugin allows authenticated WordPress users with contributor-level access to execute arbitrary PHP code on affected servers.

CVE-2026-1988

HIGH

2026-02-14 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:03 vuln.today

CVE Published

Feb 14, 2026 - 07:16 nvd

HIGH 7.5

Description

The Flexi Product Slider and Grid for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.5 via the `flexipsg_carousel` shortcode. This is due to the `theme` parameter being directly concatenated into a file path without proper sanitization or validation, allowing directory traversal. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server via the `theme` parameter granted they can create posts with shortcodes.

Analysis

Arbitrary PHP code execution in the Flexi Product Slider and Grid for WooCommerce WordPress plugin through version 1.0.5 allows authenticated contributors to exploit unsanitized file path parameters in the flexipsg_carousel shortcode to include and execute arbitrary files on the server. The vulnerability requires an attacker with Contributor-level access or above to create posts containing malicious shortcodes, but carries high risk due to lack of input validation on the theme parameter enabling local file inclusion attacks. …

Remediation

Within 24 hours: Inventory all WordPress instances using this plugin and disable the plugin immediately on affected sites. Within 7 days: Audit user access logs for suspicious activity from contributor-level accounts, review file integrity for unauthorized PHP execution, and evaluate alternative slider plugins. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

CVE-2026-1988 vulnerability details – vuln.today

Back

CVE-2026-1988

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-1988

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code