Platform
wordpress
Component
addons-for-elementor
Fixed in
9.0.1
9.0.1
CVE-2026-1572 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Livemesh Addons for Elementor plugin for WordPress. This vulnerability allows authenticated attackers, with Subscriber-level access or higher, to inject malicious web scripts into the plugin settings page. Successful exploitation can lead to the execution of arbitrary JavaScript code within the context of an administrator's session, potentially compromising sensitive data and system functionality. The vulnerability impacts versions of the plugin up to and including 9.0, and a fix is expected in a future release.
An attacker exploiting CVE-2026-1572 can inject malicious JavaScript code into the Livemesh Addons for Elementor plugin settings. Because the vulnerability requires only Subscriber-level access, a relatively low-privilege user could potentially compromise the entire WordPress administration interface. The injected script would execute whenever an administrator accesses the plugin settings page. This could be used to steal administrator credentials, redirect users to phishing sites, deface the website, or inject malware. The blast radius extends to any data accessible to the administrator, including user data, database credentials, and sensitive configuration files. While the vulnerability requires authentication, the relatively low access level needed makes it a significant risk, particularly for sites with a large number of users or sensitive data.
CVE-2026-1572 was published on 2026-04-16. Its severity is currently being evaluated. There are no known public exploits or active campaigns targeting this vulnerability at the time of writing. The vulnerability is not listed on KEV or EPSS. Monitor security advisories from the plugin vendor and WordPress security resources for updates and potential exploitation attempts. Refer to the NVD (National Vulnerability Database) for further details and updates.
Exploit Status
EPSS
0.02% (7% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1572 is to upgrade to a patched version of the Livemesh Addons for Elementor plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. One approach is to restrict access to the plugin settings page to only administrators with a strong need to modify them. Implement a Web Application Firewall (WAF) with rules to detect and block suspicious JavaScript code being submitted through AJAX requests to the laeadminajax() endpoint. Review and sanitize all user inputs related to plugin settings, focusing on checkbox fields. Regularly scan the WordPress installation for malicious code and unauthorized modifications. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into a plugin setting and verifying that it does not execute.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
It's a Stored Cross-Site Scripting (XSS) vulnerability in the Livemesh Addons for Elementor WordPress plugin, allowing attackers to inject malicious scripts.
If you are using Livemesh Addons for Elementor version 9.0 or earlier, you are potentially affected by this vulnerability.
Upgrade to the latest version of the Livemesh Addons for Elementor plugin as soon as a patch is released. Implement WAF rules and restrict access to plugin settings as temporary measures.
Currently, there are no known public exploits or active campaigns targeting this vulnerability, but monitoring is advised.
Refer to the NVD (National Vulnerability Database) and security advisories from the plugin vendor and WordPress security resources for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.