Platform
wordpress
Component
addons-for-elementor
Fixed in
9.0.1
CVE-2026-39636 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in Livemesh Addons for Elementor, a plugin extending the popular Elementor page builder for WordPress. This vulnerability allows attackers to inject malicious scripts that are stored on the server and executed when other users view affected pages. Versions of Livemesh Addons for Elementor from 0.0.0 up to and including 9.0 are vulnerable. A patch is expected to be released by the vendor.
The Stored XSS vulnerability in Livemesh Addons for Elementor poses a significant risk to websites using the plugin. An attacker could inject malicious JavaScript code into the plugin's data storage, such as through a form field or other input mechanism. When a user views a page containing this injected script, the script will execute in the user's browser, allowing the attacker to steal cookies, redirect the user to a malicious website, or deface the website. The potential impact extends beyond simple defacement; attackers could leverage this vulnerability to gain unauthorized access to user accounts, steal sensitive data (like login credentials or personal information), or even compromise the entire WordPress installation. Given the widespread use of Elementor and its addons, the blast radius of this vulnerability is considerable, potentially affecting numerous websites and their users.
CVE-2026-39636 was published on 2026-04-08. As of this date, there is no indication of active exploitation campaigns targeting this vulnerability. The CVSS score of 6.5 (MEDIUM) suggests a moderate probability of exploitation if the vulnerability is publicly disclosed and a proof-of-concept (POC) becomes available. It is not currently listed on CISA Known Exploited Vulnerabilities (KEV) catalog or EPSS. Monitor security advisories and vulnerability databases for updates and potential exploitation activity.
Exploit Status
EPSS
0.03% (10% percentile)
CVSS Vector
The primary mitigation for CVE-2026-39636 is to upgrade to the patched version of Livemesh Addons for Elementor as soon as it becomes available. Until the patch is released, consider implementing temporary workarounds to reduce the risk. These may include disabling the vulnerable addon features, implementing strict input validation and sanitization on all user-supplied data processed by the addon, and utilizing a Web Application Firewall (WAF) with XSS protection rules. A WAF can help filter out malicious requests before they reach the application. Regularly scan your website for XSS vulnerabilities using automated tools. After upgrading, thoroughly test the addon functionality to ensure the patch has been applied correctly and hasn't introduced any new issues. Confirm by attempting to inject a simple XSS payload through a vulnerable input field and verifying that the script is not executed.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
It's a Stored XSS vulnerability in Livemesh Addons for Elementor, allowing attackers to inject malicious scripts into website pages.
If you're using Livemesh Addons for Elementor versions 0.0.0 through 9.0, you are potentially affected by this vulnerability.
Upgrade to the latest patched version of Livemesh Addons for Elementor as soon as it's released. Implement temporary workarounds until the patch is available.
As of the publication date, there's no evidence of active exploitation, but monitor for updates.
Refer to the official vendor advisory from Livemesh and the NVD entry for CVE-2026-39636 for detailed information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.