CVE-2026-1620
Received Received - Intake
Local File Inclusion in Livemesh Addons for Elementor Plugin

Publication date: 2026-04-16

Last updated on: 2026-04-16

Assigner: Wordfence

Description
The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which uses an inadequate `str_replace()` approach that can be bypassed using recursive directory traversal patterns. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the attacker to include and execute local files via the widget's template parameter granted they can trick an administrator into performing an action or install Elementor.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-04-16
Generated
2026-05-07
AI Q&A
2026-04-16
EPSS Evaluated
2026-05-05
NVD
CVE-2026-1620
EUVD
EUVD-2026-23205
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
livemesh addons_for_elementor to 9.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Livemesh Addons for Elementor plugin for WordPress has a Local File Inclusion (LFI) vulnerability in all versions up to and including 9.0. This occurs because the plugin does not properly sanitize the template name parameter in the lae_get_template_part() function. The sanitization uses an inadequate str_replace() method that can be bypassed with recursive directory traversal patterns.

As a result, authenticated attackers with Contributor-level access or higher can exploit this flaw to include and execute arbitrary local files on the server by manipulating the widget's template parameter, especially if they can trick an administrator into performing an action or installing Elementor.


How can this vulnerability impact me? :

This vulnerability can have severe impacts because it allows attackers with relatively low privileges (Contributor-level access) to execute arbitrary files on the server. This can lead to full compromise of the affected WordPress site, including unauthorized access to sensitive data, modification or deletion of content, and potentially taking control of the server.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should update the Livemesh Addons for Elementor plugin to a version later than 9.0 where the issue is fixed.

Additionally, restrict Contributor-level access and above to trusted users only, as the vulnerability requires authenticated access at that level.

Consider monitoring and limiting the use of the vulnerable template parameter in the plugin until an update is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart