Description
The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 9.0. This is due to missing authorization checks on the AJAX handler `lae_admin_ajax()` and insufficient output escaping on multiple checkbox settings fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the plugin settings page that will execute whenever an administrator accesses the plugin settings page granted they can obtain a valid nonce, which can be leaked via the plugin's improper access control on settings pages.
Published: 2026-04-16
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via plugin settings
Action: Patch
AI Analysis

Impact

The Livemesh Addons for Elementor plugin is vulnerable due to missing authorization checks on the AJAX handler lae_admin_ajax and insufficient escaping of checkbox settings. This allows a Subscriber or higher authenticated attacker with a valid nonce to store malicious JavaScript in the plugin’s settings. When an administrator later visits the settings page, the injected script executes in the admin’s browser, potentially enabling session hijacking, defacement, or other client‑side attacks.

Affected Systems

All versions of the Livemesh Addons for Elementor plugin up to and including 9.0, used on WordPress sites. The vulnerability exists in the plugin’s backend AJAX handling and settings pages, affecting any WordPress installation that has the plugin installed and permits Subscribers or higher to access the settings area.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.4, indicating a moderate risk. The exploitation probability is not provided. The flaw is not included in the CISA known exploited vulnerabilities catalog. Exploitation requires an authenticated user with at least Subscriber level access who can obtain a plugin‑generated nonce; once the nonce is known, the attacker can inject arbitrary script that is stored and later executed for any administrator that views the settings page. Because the attacker must be authenticated, the attack surface is limited to trusted users, yet the consequences for administrative accounts can be severe if the malicious code runs in their session.

Generated by OpenCVE AI on April 17, 2026 at 03:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Livemesh Addons for Elementor release (9.1 or newer) to receive the authorization checks and output escaping fix.
  • If an upgrade is unavailable, limit the plugin’s settings access to Administrators by modifying role capabilities or disabling the settings page for Subscribers and lower roles.
  • Disable the Livemesh Addons plugin or remove it entirely on sites that cannot be updated until the fixed version is applied.
  • Optionally, deploy a content filtering or sanitization plugin to remove potentially unsafe scripts from the plugin settings page output.

Generated by OpenCVE AI on April 17, 2026 at 03:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Livemeshelementor
Livemeshelementor addons For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Livemeshelementor
Livemeshelementor addons For Elementor
Wordpress
Wordpress wordpress

Thu, 16 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 9.0. This is due to missing authorization checks on the AJAX handler `lae_admin_ajax()` and insufficient output escaping on multiple checkbox settings fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the plugin settings page that will execute whenever an administrator accesses the plugin settings page granted they can obtain a valid nonce, which can be leaked via the plugin's improper access control on settings pages.
Title Livemesh Addons by Elementor <= 9.0 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via Plugin Settings
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Livemeshelementor Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-16T12:55:37.314Z

Reserved: 2026-01-28T21:18:21.899Z

Link: CVE-2026-1572

cve-icon Vulnrichment

Updated: 2026-04-16T12:55:31.909Z

cve-icon NVD

Status : Received

Published: 2026-04-16T07:16:29.610

Modified: 2026-04-16T07:16:29.610

Link: CVE-2026-1572

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T03:30:08Z

Weaknesses