A high-severity Local File Inclusion vulnerability in the Flexi Product Slider and Grid plugin could allow attackers to expose sensitive server files and potentially escalate privileges.

The plugin suffers from a Local File Inclusion (LFI) flaw due to insufficient validation of user-supplied input. This allows an attacker to include and execute local files on the server, potentially exposing sensitive configuration files like wp-config.php.

The exposure of sensitive files can lead to the compromise of database credentials and other secret keys. This information can be leveraged to gain full administrative access to the WordPress site and the underlying server, resulting in data breaches and total system takeover. The CVSS score of 7.5 reflects this high potential for data compromise.

Immediate Action: Update the Flexi Product Slider and Grid for WooCommerce plugin to the latest version or remove it if it is no longer required for site functionality.

Proactive Monitoring: Scan server logs for directory traversal patterns (e.g., ../..) targeting the plugin's directory.

Compensating Controls: Implement file system permissions that restrict the web server's ability to read sensitive files outside of the necessary web directories.

Public Exploit Available: false

Immediate action is required to patch this LFI vulnerability. Given the risk of sensitive file disclosure, administrators should also consider rotating database passwords and secret keys if there is any suspicion that the vulnerability was previously exploited.