Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in livemesh Livemesh Addons for Elementor addons-for-elementor allows Stored XSS.This issue affects Livemesh Addons for Elementor: from n/a through <= 9.0.
Published: 2026-04-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Update Plugin
AI Analysis

Impact

The vulnerability allows a stored cross‑site scripting (XSS) flaw in the Livemesh Addons for Elementor plugin, enabling an attacker to inject malicious scripts that execute in the browsers of visitors. This could lead to session hijacking, theft of sensitive data, inappropriate UI changes, or further distribution of malware. The weakness corresponds to CWE‑79 – Improper Neutralization of Input During Web Page Generation.

Affected Systems

WordPress sites that use the Livemesh Addons for Elementor plugin from any version through 9.0, supplied by the vendor Livemesh. Any installation of these affected versions is susceptible.

Risk and Exploitability

The CVSS base score of 6.5 classifies the flaw as medium severity, while the EPSS score of less than 1% indicates a low probability of exploitation. This vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote: an attacker or a user with content‑creation permissions could embed malicious data that the plugin stores and later serves to site visitors. Exploitation requires the attacker’s input to be accepted and rendered by the plugin, leading to arbitrary script execution in users’ browsers. Due to its storage nature, the impact is limited to compromised visitors rather than the server itself.

Generated by OpenCVE AI on April 13, 2026 at 21:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Livemesh Addons for Elementor to the latest version (>=9.1) that removes the XSS flaw.
  • If an update cannot be performed immediately, disable or uninstall the plugin until a patch is applied.
  • Review existing content for any injected scripts and remove them.
  • Monitor site traffic for signs of XSS activity or privilege escalation.

Generated by OpenCVE AI on April 13, 2026 at 21:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Livemesh
Livemesh livemesh Addons For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Livemesh
Livemesh livemesh Addons For Elementor
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in livemesh Livemesh Addons for Elementor addons-for-elementor allows Stored XSS.This issue affects Livemesh Addons for Elementor: from n/a through <= 9.0.
Title WordPress Livemesh Addons for Elementor plugin <= 9.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Livemesh Livemesh Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.896Z

Reserved: 2026-04-07T10:57:43.490Z

Link: CVE-2026-39636

cve-icon Vulnrichment

Updated: 2026-04-13T18:52:10.682Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:34.270

Modified: 2026-04-24T18:06:24.707

Link: CVE-2026-39636

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:38:57Z

Weaknesses