Livemesh Addons By Elementor
Monthly
Livemesh Addons for Elementor plugin versions up to 9.0 allow authenticated attackers with Subscriber-level access to inject arbitrary JavaScript via the plugin settings page through missing authorization checks on the AJAX handler lae_admin_ajax() and insufficient output escaping on checkbox fields. The injected scripts execute whenever an administrator accesses the settings page if the attacker obtains a valid nonce, which can be leaked due to improper access control on settings pages. This combination of authorization bypass and stored XSS affects all WordPress installations running the vulnerable plugin.
Local file inclusion in Livemesh Addons for Elementor (WordPress plugin) ≤9.0 allows authenticated attackers with Contributor-level privileges to include and execute arbitrary PHP files via recursive directory traversal bypass in widget template parameters. The vulnerability requires Elementor plugin installation and either admin interaction (social engineering) or direct Contributor access. CVSS 8.8 reflects high impact (RCE potential) but limited by authentication requirement. No active exploitation confirmed (not in CISA KEV), but publicly available exploit code exists (Wordfence disclosure with technical details and code references).
Livemesh Addons for Elementor plugin versions up to 9.0 allow authenticated attackers with Subscriber-level access to inject arbitrary JavaScript via the plugin settings page through missing authorization checks on the AJAX handler lae_admin_ajax() and insufficient output escaping on checkbox fields. The injected scripts execute whenever an administrator accesses the settings page if the attacker obtains a valid nonce, which can be leaked due to improper access control on settings pages. This combination of authorization bypass and stored XSS affects all WordPress installations running the vulnerable plugin.
Local file inclusion in Livemesh Addons for Elementor (WordPress plugin) ≤9.0 allows authenticated attackers with Contributor-level privileges to include and execute arbitrary PHP files via recursive directory traversal bypass in widget template parameters. The vulnerability requires Elementor plugin installation and either admin interaction (social engineering) or direct Contributor access. CVSS 8.8 reflects high impact (RCE potential) but limited by authentication requirement. No active exploitation confirmed (not in CISA KEV), but publicly available exploit code exists (Wordfence disclosure with technical details and code references).