{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1620", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-29T14:18:07.864Z", "datePublished": "2026-04-16T06:44:50.305Z", "dateUpdated": "2026-04-16T12:55:49.055Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-16T06:44:50.305Z"}, "affected": [{"vendor": "livemesh", "product": "Livemesh Addons by Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "9.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which uses an inadequate `str_replace()` approach that can be bypassed using recursive directory traversal patterns. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the attacker to include and execute local files via the widget's template parameter granted they can trick an administrator into performing an action or install Elementor."}], "title": "Livemesh Addons by Elementor <= 9.0 - Authenticated (Contributor+) Local File Inclusion via Widget Template Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2483875a-84de-4a40-a69e-aee68da1ce3b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/includes/helper-functions.php#L669"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/includes/helper-functions.php#L669"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/includes/helper-functions.php#L671"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/includes/helper-functions.php#L671"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "cweId": "CWE-98", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "timeline": [{"time": "2026-04-15T17:56:59.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T12:55:42.597006Z", "id": "CVE-2026-1620", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:55:49.055Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1620", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-16T12:55:42.597006Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:55:45.425Z"}}], "cna": {"title": "Livemesh Addons by Elementor <= 9.0 - Authenticated (Contributor+) Local File Inclusion via Widget Template Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "livemesh", "product": "Livemesh Addons by Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "9.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-15T17:56:59.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2483875a-84de-4a40-a69e-aee68da1ce3b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/includes/helper-functions.php#L669"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/includes/helper-functions.php#L669"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/includes/helper-functions.php#L671"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/includes/helper-functions.php#L671"}], "descriptions": [{"lang": "en", "value": "The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which uses an inadequate `str_replace()` approach that can be bypassed using recursive directory traversal patterns. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the attacker to include and execute local files via the widget's template parameter granted they can trick an administrator into performing an action or install Elementor."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-16T06:44:50.305Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1620", "state": "PUBLISHED", "dateUpdated": "2026-04-16T12:55:49.055Z", "dateReserved": "2026-01-29T14:18:07.864Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-16T06:44:50.305Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which uses an inadequate `str_replace()` approach that can be bypassed using recursive directory traversal patterns. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the attacker to include and execute local files via the widget's template parameter granted they can trick an administrator into performing an action or install Elementor."}], "id": "CVE-2026-1620", "lastModified": "2026-04-22T20:22:50.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-16T07:16:29.787", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/includes/helper-functions.php#L669"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/includes/helper-functions.php#L671"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/includes/helper-functions.php#L669"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/includes/helper-functions.php#L671"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2483875a-84de-4a40-a69e-aee68da1ce3b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.0]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "matching", "scores": [{"score": 80.0, "source": "matching"}]}, "original": {"product": "Livemesh Addons by Elementor", "source": "cna", "vendor": "livemesh"}, "product": "addons_for_elementor", "vendor": "livemeshelementor"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-17T03:30:06.504915+00:00", "value": {"mitigation_remediation": ["Apply the latest Livemesh Addons for Elementor update (any version newer than 9.0) to remove the vulnerable code.", "If the plugin is not essential, remove or deactivate it from the WordPress installation.", "Restrict Contributor and lower roles from editing widgets or from having the capability to add widget templates; consider granting only Editor or higher for content editing.", "Set the file system permissions of the plugin directories so that PHP files cannot be executed outside the intended scope, and ensure that no sensitive files are world-readable.", "Monitor access logs for abnormal template parameter values or repeated attempts at directory traversal."], "summary": {"action": "Immediate Patch", "impact": "Authenticated Remote File Inclusion"}, "threat_synthesis": {"affected_systems": "All releases of the Livemesh Addons by Elementor plugin up to and including version 9.0 are affected. No further version granularity is available from the vendor information.", "description_and_impact": "The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion because the template name parameter in the lae_get_template_part() function is not properly sanitized. This flaw allows authenticated users with Contributor or higher roles to supply a recursive directory traversal string that bypasses the naive str_replace sanitization. An attacker can therefore include and execute arbitrary files located on the web server, potentially reading sensitive data or running PHP code that leads to system compromise.", "risk_and_exploitability": "The vulnerability poses a significant risk because it enables an authenticated contributor or higher role to gain filesystem access and possibly execute arbitrary code on the server. The high CVSS score of 8.8 signals strong potential impact. Although EPSS data is not available, the attack could proceed using the widget's template parameter to trigger a directory traversal, leading to sensitive file disclosure or code execution and possible full site compromise."}}}}, "created": "2026-04-16T09:00:05.119741+00:00", "updated": "2026-04-17T03:30:08.603626+00:00", "vendors": ["livemeshelementor", "livemeshelementor$PRODUCT$addons_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}