Approved changes feed: RSS · Atom

cpe:2.3:a:livemesh:livemesh_addons_by_elementor:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorLivemesh (1612245a-73f2-5170-8d95-d6413fcd21fb)
ProductLivemesh Addons By Elementor (3c457394-7390-5a24-941b-4ac1e05cc44e)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-1620 vulnerable 2026-06-08 07:49:09.041477 Livemesh Addons by Elementor <= 9.0 - Authenticated (Contributor+) Local File Inclusion via Widget Template Parameter
HIGH (8.8)
The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which uses an inadequate `str_replace()` approach that can be bypassed using recursive directory traversal patterns. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the attacker to include and execute local files via the widget's template parameter granted they can trick an administrator into performing an action or install Elementor.
Published: 2026-04-16T06:44:50.305Z
Updated: 2026-04-16T12:55:49.055Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-1572 vulnerable 2026-06-08 07:49:08.921217 Livemesh Addons by Elementor <= 9.0 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via Plugin Settings
MEDIUM (6.4)
The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 9.0. This is due to missing authorization checks on the AJAX handler `lae_admin_ajax()` and insufficient output escaping on multiple checkbox settings fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the plugin settings page that will execute whenever an administrator accesses the plugin settings page granted they can obtain a valid nonce, which can be leaked via the plugin's improper access control on settings pages.
Published: 2026-04-16T06:44:50.911Z
Updated: 2026-04-16T12:55:37.314Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-8858 vulnerable 2026-06-08 07:00:25.849669 Elementor Addons by Livemesh <= 8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via piechart_settings Parameter
MEDIUM (6.4)
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘piechart_settings’ parameter in all versions up to, and including, 8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-47303 is likely a duplicate of this issue.
Published: 2024-09-25T10:59:51.550Z
Updated: 2026-04-08T17:25:41.347Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-3639 vulnerable 2026-06-08 06:43:51.036851 Elementor Addons by Livemesh <= 8.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Posts Grid
MEDIUM (6.4)
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Posts Grid widget in all versions up to, and including, 8.3.7 due to insufficient input sanitization and output escaping on user supplied attributes like 'grid_skin'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2024-07-04T03:32:24.553Z
Updated: 2026-04-08T17:10:22.913Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-3638 vulnerable 2026-06-08 06:43:51.035432 Elementor Addons by Livemesh <= 8.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Marquee Text Widget, Testimonials Widget, and Testimonial Slider Widgets
MEDIUM (6.4)
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Marquee Text Widget, Testimonials Widget, and Testimonial Slider widgets in all versions up to, and including, 8.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2024-07-04T03:32:23.393Z
Updated: 2026-04-08T16:54:38.761Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-2926 vulnerable 2026-06-08 06:35:27.719537 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-2655 vulnerable 2026-06-08 06:33:31.730076 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-2539 vulnerable 2026-06-08 06:33:31.308518 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-2385 vulnerable 2026-06-08 06:33:30.981969 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-1466 vulnerable 2026-06-08 06:25:40.139586 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-1465 vulnerable 2026-06-08 06:25:40.139019 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-1464 vulnerable 2026-06-08 06:25:40.138527 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-1461 vulnerable 2026-06-08 06:25:40.137091 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-1458 vulnerable 2026-06-08 06:25:40.131032 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-1235 vulnerable 2026-06-08 06:25:39.633968 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-0448 vulnerable 2026-06-08 06:22:01.147200 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-4974 vulnerable 2026-06-08 05:52:02.434691 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.