Local File Inclusion Vulnerability in Livemesh Addons for Elementor by WordPress
CVE-2026-1620

8.8HIGH

Key Information:

Vendor: WordPress
Status: Livemesh Addons By Elementor
Vendor: CVE Published:; 16 April 2026

What is CVE-2026-1620?

The Livemesh Addons for Elementor plugin for WordPress has a vulnerability that allows for Local File Inclusion due to inadequate sanitization in the lae_get_template_part() function. Specifically, the function's use of str_replace() can be circumvented through recursive directory traversal patterns. This weakness enables authenticated attackers with Contributor access or higher to include and execute arbitrary files on the server. The attacker must deceive an administrator into performing an action or require Elementor to be installed to exploit this vulnerability effectively.

Affected Version(s)

Livemesh Addons by Elementor 0 <= 9.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/addons-for-ele...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Jan 29, 2026

Credit

Craig Smith

CVE-2026-1620 Data

JSON