Description
The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which uses an inadequate `str_replace()` approach that can be bypassed using recursive directory traversal patterns. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the attacker to include and execute local files via the widget's template parameter granted they can trick an administrator into performing an action or install Elementor.
Published: 2026-04-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated Remote File Inclusion
Action: Immediate Patch
AI Analysis

Impact

The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion because the template name parameter in the lae_get_template_part() function is not properly sanitized. This flaw allows authenticated users with Contributor or higher roles to supply a recursive directory traversal string that bypasses the naive str_replace sanitization. An attacker can therefore include and execute arbitrary files located on the web server, potentially reading sensitive data or running PHP code that leads to system compromise.

Affected Systems

All releases of the Livemesh Addons by Elementor plugin up to and including version 9.0 are affected. No further version granularity is available from the vendor information.

Risk and Exploitability

The vulnerability poses a significant risk because it enables an authenticated contributor or higher role to gain filesystem access and possibly execute arbitrary code on the server. The high CVSS score of 8.8 signals strong potential impact. Although EPSS data is not available, the attack could proceed using the widget's template parameter to trigger a directory traversal, leading to sensitive file disclosure or code execution and possible full site compromise.

Generated by OpenCVE AI on April 17, 2026 at 03:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Livemesh Addons for Elementor update (any version newer than 9.0) to remove the vulnerable code.
  • If the plugin is not essential, remove or deactivate it from the WordPress installation.
  • Restrict Contributor and lower roles from editing widgets or from having the capability to add widget templates; consider granting only Editor or higher for content editing.
  • Set the file system permissions of the plugin directories so that PHP files cannot be executed outside the intended scope, and ensure that no sensitive files are world-readable.
  • Monitor access logs for abnormal template parameter values or repeated attempts at directory traversal.

Generated by OpenCVE AI on April 17, 2026 at 03:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Livemeshelementor
Livemeshelementor addons For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Livemeshelementor
Livemeshelementor addons For Elementor
Wordpress
Wordpress wordpress

Thu, 16 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which uses an inadequate `str_replace()` approach that can be bypassed using recursive directory traversal patterns. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the attacker to include and execute local files via the widget's template parameter granted they can trick an administrator into performing an action or install Elementor.
Title Livemesh Addons by Elementor <= 9.0 - Authenticated (Contributor+) Local File Inclusion via Widget Template Parameter
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Livemeshelementor Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-16T12:55:49.055Z

Reserved: 2026-01-29T14:18:07.864Z

Link: CVE-2026-1620

cve-icon Vulnrichment

Updated: 2026-04-16T12:55:45.425Z

cve-icon NVD

Status : Received

Published: 2026-04-16T07:16:29.787

Modified: 2026-04-16T07:16:29.787

Link: CVE-2026-1620

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T03:30:08Z

Weaknesses