Skip to main content

Livemesh Addons For Elementor CVE-2026-39636

| EUVD-2026-20292 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 Patchstack GHSA-qv5m-7xm8-mwj3
XSS Livemesh Addons For Elementor Elementor
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:42 vuln.today
CVSS changed
Apr 13, 2026 - 20:22 NVD
6.5 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20292
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in livemesh Livemesh Addons for Elementor addons-for-elementor allows Stored XSS.This issue affects Livemesh Addons for Elementor: from n/a through <= 9.0.

AnalysisAI

Stored cross-site scripting (XSS) in Livemesh Addons for Elementor through version 9.0 allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of administrators and other site visitors. The vulnerability stems from improper input sanitization during web page generation, enabling attackers to persistently compromise site functionality and steal administrative credentials or session tokens. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain authenticated WordPress account
Delivery
Access post/page editor with Livemesh widget
Exploit
Inject JavaScript payload into widget field
Install
Submit/publish content
C2
Administrator views affected page
Execute
Malicious script executes in admin browser
Impact
Exfiltrate session token or perform unauthorized action
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must possess a valid authenticated WordPress user account with permissions to create or edit posts and access Livemesh Addons widgets (typically contributor, editor, or author role). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector (AV:N/AC:L/PR:L/UI:R/S:C) indicates network-accessible stored XSS requiring low attack complexity and authenticated user privileges, with user interaction (UI:R) and cross-site scope (S:C), yielding a base score of 6.5 (medium). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated WordPress user with contributor or editor privileges creates a post or page using the Livemesh Addons widget, intentionally or via social engineering embedding a JavaScript payload (e.g., `<img src=x onerror=alert('XSS')>` or a credential-stealing script) in a widget text field. The payload is stored in the database unescaped. …
Remediation Upgrade Livemesh Addons for Elementor to a version greater than 9.0 (exact patched version not specified in available advisories; consult vendor release notes for the latest stable build). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-39636 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy