Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Livemesh Addons for Elementor allows attackers to access server files
CVE-2026-1620
Summary
If you use the Livemesh Addons for Elementor plugin with WordPress, an attacker could trick an administrator into installing a malicious file. This would allow the attacker to access and potentially execute any file on the server. To protect your site, update to a secure version of the plugin or remove it if you don't need it.
Original title
The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name...
Original description
The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which uses an inadequate `str_replace()` approach that can be bypassed using recursive directory traversal patterns. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the attacker to include and execute local files via the widget's template parameter granted they can trick an administrator into performing an action or install Elementor.
nvd CVSS3.1
8.8
Vulnerability type
CWE-98
Improper Control of Filename for Include
- https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/include...
- https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/include...
- https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/includes/h...
- https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/includes/h...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2483875a-84de-4a40-a69...
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026