Skip to main content

PHP CVE-2026-1620

| EUVD-2026-23205 HIGH
PHP Remote File Inclusion (CWE-98)
2026-04-16 Wordfence
PHP LFI WordPress Path Traversal Elementor
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 22, 2026 - 20:37 vuln.today
cvss_changed
Analysis Generated
Apr 16, 2026 - 07:50 vuln.today
EUVD ID Assigned
Apr 16, 2026 - 07:30 euvd
EUVD-2026-23205
Analysis Generated
Apr 16, 2026 - 07:30 vuln.today
CVE Published
Apr 16, 2026 - 06:44 nvd
HIGH 8.8

DescriptionCVE.org

The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the lae_get_template_part() function, which uses an inadequate str_replace() approach that can be bypassed using recursive directory traversal patterns. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the attacker to include and execute local files via the widget's template parameter granted they can trick an administrator into performing an action or install Elementor.

AnalysisAI

Local file inclusion in Livemesh Addons for Elementor (WordPress plugin) ≤9.0 allows authenticated attackers with Contributor-level privileges to include and execute arbitrary PHP files via recursive directory traversal bypass in widget template parameters. The vulnerability requires Elementor plugin installation and either admin interaction (social engineering) or direct Contributor access. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain Contributor credentials
Delivery
Access Elementor page editor
Exploit
Inject recursive traversal pattern in widget template parameter
Install
Trigger widget render
C2
Bypass str_replace() sanitization
Execute
Include arbitrary PHP file
Impact
Execute code as web server user
Step 8
Establish persistent access
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires authenticated access with WordPress Contributor role or higher (Editor, Administrator). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is MODERATE-HIGH despite 8.8 CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with Contributor-level credentials on a WordPress site running Livemesh Addons for Elementor ≤9.0 creates or edits a page using Elementor widgets. The attacker crafts a malicious template parameter containing recursive directory traversal sequences (e.g., '....//....//....//etc/passwd' or path to writable upload directory containing attacker-uploaded PHP webshell). …
Remediation Primary mitigation: Upgrade Livemesh Addons for Elementor plugin to version 9.1 or later if available (fix version not independently confirmed from provided data - verify with vendor advisory at Wordfence link or WordPress plugin repository changelog). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Disable or remove Livemesh Addons for Elementor on all affected WordPress installations (version ≤9.0); audit contributor-level user accounts for suspicious activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-1620 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy