{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1572", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-28T21:18:21.899Z", "datePublished": "2026-04-16T06:44:50.911Z", "dateUpdated": "2026-04-16T12:55:37.314Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-16T06:44:50.911Z"}, "affected": [{"vendor": "livemesh", "product": "Livemesh Addons by Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "9.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 9.0. This is due to missing authorization checks on the AJAX handler `lae_admin_ajax()` and insufficient output escaping on multiple checkbox settings fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the plugin settings page that will execute whenever an administrator accesses the plugin settings page granted they can obtain a valid nonce, which can be leaked via the plugin's improper access control on settings pages."}], "title": "Livemesh Addons by Elementor <= 9.0 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via Plugin Settings", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/24b9bf5a-19ac-4e99-b32d-1ab681356a1b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/admin/admin-ajax.php#L28"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/admin/admin-ajax.php#L64"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/admin/admin-ajax.php#L64"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/admin/admin-ajax.php#L28"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/plugin.php#L207"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/plugin.php#L207"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/admin/views/settings.php#L707"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/admin/views/settings.php#L707"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-04-15T17:57:15.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T12:53:24.320188Z", "id": "CVE-2026-1572", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:55:37.314Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1572", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T12:53:24.320188Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:55:31.909Z"}}], "cna": {"title": "Livemesh Addons by Elementor <= 9.0 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via Plugin Settings", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "livemesh", "product": "Livemesh Addons by Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "9.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-15T17:57:15.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/24b9bf5a-19ac-4e99-b32d-1ab681356a1b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/admin/admin-ajax.php#L28"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/admin/admin-ajax.php#L64"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/admin/admin-ajax.php#L64"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/admin/admin-ajax.php#L28"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/plugin.php#L207"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/plugin.php#L207"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/admin/views/settings.php#L707"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/admin/views/settings.php#L707"}], "descriptions": [{"lang": "en", "value": "The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 9.0. This is due to missing authorization checks on the AJAX handler `lae_admin_ajax()` and insufficient output escaping on multiple checkbox settings fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the plugin settings page that will execute whenever an administrator accesses the plugin settings page granted they can obtain a valid nonce, which can be leaked via the plugin's improper access control on settings pages."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-16T06:44:50.911Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1572", "state": "PUBLISHED", "dateUpdated": "2026-04-16T12:55:37.314Z", "dateReserved": "2026-01-28T21:18:21.899Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-16T06:44:50.911Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 9.0. This is due to missing authorization checks on the AJAX handler `lae_admin_ajax()` and insufficient output escaping on multiple checkbox settings fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the plugin settings page that will execute whenever an administrator accesses the plugin settings page granted they can obtain a valid nonce, which can be leaked via the plugin's improper access control on settings pages."}], "id": "CVE-2026-1572", "lastModified": "2026-04-22T20:22:50.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-16T07:16:29.610", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/admin/admin-ajax.php#L28"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/admin/admin-ajax.php#L64"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/admin/views/settings.php#L707"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/plugin.php#L207"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/admin/admin-ajax.php#L28"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/admin/admin-ajax.php#L64"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/admin/views/settings.php#L707"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/plugin.php#L207"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/24b9bf5a-19ac-4e99-b32d-1ab681356a1b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.0]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 80.0, "source": "matching"}]}, "original": {"product": "Livemesh Addons by Elementor", "source": "cna", "vendor": "livemesh"}, "product": "addons_for_elementor", "vendor": "livemeshelementor"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-17T03:29:44.143555+00:00", "value": {"mitigation_remediation": ["Install the latest Livemesh Addons for Elementor release (9.1 or newer) to receive the authorization checks and output escaping fix.", "If an upgrade is unavailable, limit the plugin\u2019s settings access to Administrators by modifying role capabilities or disabling the settings page for Subscribers and lower roles.", "Disable the Livemesh Addons plugin or remove it entirely on sites that cannot be updated until the fixed version is applied.", "Optionally, deploy a content filtering or sanitization plugin to remove potentially unsafe scripts from the plugin settings page output."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting via plugin settings"}, "threat_synthesis": {"affected_systems": "All versions of the Livemesh Addons for Elementor plugin up to and including 9.0, used on WordPress sites. The vulnerability exists in the plugin\u2019s backend AJAX handling and settings pages, affecting any WordPress installation that has the plugin installed and permits Subscribers or higher to access the settings area.", "description_and_impact": "The Livemesh Addons for Elementor plugin is vulnerable due to missing authorization checks on the AJAX handler lae_admin_ajax and insufficient escaping of checkbox settings. This allows a Subscriber or higher authenticated attacker with a valid nonce to store malicious JavaScript in the plugin\u2019s settings. When an administrator later visits the settings page, the injected script executes in the admin\u2019s browser, potentially enabling session hijacking, defacement, or other client\u2011side attacks.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.4, indicating a moderate risk. The exploitation probability is not provided. The flaw is not included in the CISA known exploited vulnerabilities catalog. Exploitation requires an authenticated user with at least Subscriber level access who can obtain a plugin\u2011generated nonce; once the nonce is known, the attacker can inject arbitrary script that is stored and later executed for any administrator that views the settings page. Because the attacker must be authenticated, the attack surface is limited to trusted users, yet the consequences for administrative accounts can be severe if the malicious code runs in their session."}}}}, "created": "2026-04-16T10:45:25.874423+00:00", "updated": "2026-04-17T03:30:08.602864+00:00", "vendors": ["livemeshelementor", "livemeshelementor$PRODUCT$addons_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}