Livemesh Addons By Elementor
Approved changes feed: RSS · Atom
cpe:2.3:a:livemesh:livemesh_addons_by_elementor:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Livemesh (1612245a-73f2-5170-8d95-d6413fcd21fb) |
|---|---|
| Product | Livemesh Addons By Elementor (3c457394-7390-5a24-941b-4ac1e05cc44e) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-1620 |
vulnerable | 2026-06-08 07:49:09.041477 |
Livemesh Addons by Elementor <= 9.0 - Authenticated (Contributor+) Local File Inclusion via Widget Template Parameter
HIGH (8.8)
The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which uses an inadequate `str_replace()` approach that can be bypassed using recursive directory traversal patterns. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the attacker to include and execute local files via the widget's template parameter granted they can trick an administrator into performing an action or install Elementor.
Published: 2026-04-16T06:44:50.305Z
Updated: 2026-04-16T12:55:49.055Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1572 |
vulnerable | 2026-06-08 07:49:08.921217 |
Livemesh Addons by Elementor <= 9.0 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via Plugin Settings
MEDIUM (6.4)
The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 9.0. This is due to missing authorization checks on the AJAX handler `lae_admin_ajax()` and insufficient output escaping on multiple checkbox settings fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the plugin settings page that will execute whenever an administrator accesses the plugin settings page granted they can obtain a valid nonce, which can be leaked via the plugin's improper access control on settings pages.
Published: 2026-04-16T06:44:50.911Z
Updated: 2026-04-16T12:55:37.314Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8858 |
vulnerable | 2026-06-08 07:00:25.849669 |
Elementor Addons by Livemesh <= 8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via piechart_settings Parameter
MEDIUM (6.4)
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘piechart_settings’ parameter in all versions up to, and including, 8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-47303 is likely a duplicate of this issue.
Published: 2024-09-25T10:59:51.550Z
Updated: 2026-04-08T17:25:41.347Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3639 |
vulnerable | 2026-06-08 06:43:51.036851 |
Elementor Addons by Livemesh <= 8.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Posts Grid
MEDIUM (6.4)
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Posts Grid widget in all versions up to, and including, 8.3.7 due to insufficient input sanitization and output escaping on user supplied attributes like 'grid_skin'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2024-07-04T03:32:24.553Z
Updated: 2026-04-08T17:10:22.913Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3638 |
vulnerable | 2026-06-08 06:43:51.035432 |
Elementor Addons by Livemesh <= 8.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Marquee Text Widget, Testimonials Widget, and Testimonial Slider Widgets
MEDIUM (6.4)
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Marquee Text Widget, Testimonials Widget, and Testimonial Slider widgets in all versions up to, and including, 8.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2024-07-04T03:32:23.393Z
Updated: 2026-04-08T16:54:38.761Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2926 |
vulnerable | 2026-06-08 06:35:27.719537 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2655 |
vulnerable | 2026-06-08 06:33:31.730076 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2539 |
vulnerable | 2026-06-08 06:33:31.308518 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2385 |
vulnerable | 2026-06-08 06:33:30.981969 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1466 |
vulnerable | 2026-06-08 06:25:40.139586 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1465 |
vulnerable | 2026-06-08 06:25:40.139019 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1464 |
vulnerable | 2026-06-08 06:25:40.138527 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1461 |
vulnerable | 2026-06-08 06:25:40.137091 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1458 |
vulnerable | 2026-06-08 06:25:40.131032 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1235 |
vulnerable | 2026-06-08 06:25:39.633968 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-0448 |
vulnerable | 2026-06-08 06:22:01.147200 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4974 |
vulnerable | 2026-06-08 05:52:02.434691 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.