Skip to content

Add CVE-2026-1988 WordPress Flexi Product Slider Local File Inclusion#15402

Closed
stranger00135 wants to merge 3 commits intoprojectdiscovery:mainfrom
stranger00135:add-cve-2026-1988
Closed

Add CVE-2026-1988 WordPress Flexi Product Slider Local File Inclusion#15402
stranger00135 wants to merge 3 commits intoprojectdiscovery:mainfrom
stranger00135:add-cve-2026-1988

Conversation

@stranger00135
Copy link

@stranger00135 stranger00135 commented Feb 19, 2026

CVE-2026-1988 — Flexi Product Slider and Grid for WooCommerce <= 1.0.5 LFI

Local File Inclusion vulnerability allowing authenticated attackers to include and execute arbitrary files on the server.

✅ Verified — True Positive

Tested against Docker WordPress environment with vulnerable plugin version. Confirmed LFI via template parameter allowing inclusion of arbitrary PHP files.

✅ Validated — No False Positive

Without plugin installed, endpoint does not exist — no false trigger.

Template validation

  • Validated with vulnerable version (True Positive)
  • Validated with patched version (False Positive avoided)
  • All metadata complete (CVSS, CWE, CPE, Shodan/FOFA)
  • 3+ matchers with condition: and

References

@stranger00135
Copy link
Author

stranger00135 commented Feb 20, 2026

Closing this PR — after further review I'm unable to meet all quality requirements. Thanks for your time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ritikchaddha ritikchaddha Awaiting requested review from ritikchaddha

Assignees

@pussycat0x pussycat0x

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stranger00135 @pussycat0x

Comments