EUVD-2026-23205CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the lae_get_template_part() function, which uses an inadequate str_replace() approach that can be bypassed using recursive directory traversal patterns. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the attacker to include and execute local files via the widget's template parameter granted they can trick an administrator into performing an action or install Elementor.
AnalysisAI
Local file inclusion in Livemesh Addons for Elementor (WordPress plugin) ≤9.0 allows authenticated attackers with Contributor-level privileges to include and execute arbitrary PHP files via recursive directory traversal bypass in widget template parameters. The vulnerability requires Elementor plugin installation and either admin interaction (social engineering) or direct Contributor access. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Disable or remove Livemesh Addons for Elementor on all affected WordPress installations (version ≤9.0); audit contributor-level user accounts for suspicious activity. Within 7 days: Identify and test alternative Elementor addon solutions; plan migration of widget templates if applicable. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today