Platform
wordpress
Component
addons-for-elementor
Fixed in
9.0.1
9.0.1
CVE-2026-1620 represents a critical Directory Traversal vulnerability affecting the Livemesh Addons for Elementor plugin, a popular extension for the WordPress content management system. This flaw allows authenticated attackers, possessing a minimum of Contributor-level access, to potentially include and execute arbitrary files on the server. The vulnerability stems from insufficient sanitization within the laegettemplate_part() function, impacting all versions of the plugin up to and including 9.0. A patch is expected to address this issue.
The impact of CVE-2026-1620 is significant due to the potential for unauthorized file access and code execution. An attacker exploiting this vulnerability could leverage their Contributor-level access to include sensitive configuration files, source code, or even malicious scripts. Successful exploitation could lead to complete server compromise, data exfiltration, and denial of service. The ability to execute arbitrary files opens the door to a wide range of attacks, including the installation of backdoors, modification of website content, and the theft of user credentials. The blast radius extends to any data stored on the server accessible through the vulnerable plugin.
CVE-2026-1620 was published on 2026-04-16. Its CVSS score of 8.8 (HIGH) indicates a significant risk. Public proof-of-concept (POC) code is likely to emerge given the relatively straightforward nature of directory traversal vulnerabilities. While no active campaigns targeting this specific vulnerability have been reported, the ease of exploitation suggests it could become a target for opportunistic attackers. Monitor security advisories from Livemesh and WordPress for updates and further details.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1620 is to immediately upgrade the Livemesh Addons for Elementor plugin to a patched version as soon as it becomes available. Until a patch is released, consider restricting access to the plugin's template directory using file system permissions. Implement a Web Application Firewall (WAF) with rules to block suspicious requests containing directory traversal patterns (e.g., ../). Carefully review and restrict file upload permissions within the plugin to prevent attackers from uploading malicious files that could be included. Monitor server logs for unusual file access attempts related to the plugin.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
It's a Directory Traversal vulnerability in the Livemesh Addons for Elementor WordPress plugin, allowing attackers to include and execute files.
If you're using Livemesh Addons for Elementor version 9.0 or earlier, you are potentially affected. Check your plugin versions immediately.
Upgrade to the latest patched version of the Livemesh Addons for Elementor plugin as soon as it's released. Until then, restrict access and implement WAF rules.
No active campaigns have been reported yet, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the official WordPress security advisories, Livemesh's website, and the NVD entry for CVE-2026-1620 for further information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.