WP-Safety
CVE-2026-1572

Livemesh Addons by Elementor <= 9.0 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via Plugin Settings

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 9.0. This is due to missing authorization checks on the AJAX handler `lae_admin_ajax()` and insufficient output escaping on multiple checkbox settings fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the plugin settings page that will execute whenever an administrator accesses the plugin settings page granted they can obtain a valid nonce, which can be leaked via the plugin's improper access control on settings pages.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=9.0
PublishedApril 15, 2026
Last updatedApril 16, 2026
Affected pluginaddons-for-elementor
Research Plan
Unverified

This research plan outlines the steps to exploit **CVE-2026-1572**, a missing authorization and stored XSS vulnerability in the **Livemesh Addons for Elementor** plugin. --- ### 1. Vulnerability Summary The `lae_admin_ajax()` function in the Livemesh Addons for Elementor plugin fails to implement …

Show full research plan

This research plan outlines the steps to exploit CVE-2026-1572, a missing authorization and stored XSS vulnerability in the Livemesh Addons for Elementor plugin.

1. Vulnerability Summary

The lae_admin_ajax() function in the Livemesh Addons for Elementor plugin fails to implement a capability check (e.g., current_user_can('manage_options')). This AJAX handler is used to update plugin settings. While it likely employs a nonce for CSRF protection, the plugin also suffers from improper access control, allowing low-privileged users (Subscribers) to access the settings page where the nonce is exposed. Furthermore, settings related to checkboxes are not properly sanitized before being stored and are not escaped when rendered on the settings page, leading to Stored Cross-Site Scripting (XSS).

2. Attack Vector Analysis

  • AJAX Action: lae_admin_ajax
  • Endpoint: /wp-admin/admin-ajax.php
  • Authentication: Authenticated (Subscriber level or higher).
  • Vulnerable Parameter: Likely a nested array in $_POST (e.g., settings or widgets_status) containing checkbox values.
  • Preconditions:
    1. The attacker must have a valid Subscriber account.
    2. The attacker must obtain a valid nonce (leaked via the admin settings page accessible to Subscribers).

3. Code Flow (Inferred)

  1. Entry: A POST request is sent to admin-ajax.php with action=lae_admin_ajax.
  2. Dispatch: WordPress executes the hook wp_ajax_lae_admin_ajax.
  3. Handler: The function lae_admin_ajax() (likely in includes/admin/class-lae-admin-settings.php or similar) is called.
  4. Verification: The code calls check_ajax_referer('lae-admin-settings-nonce', 'security') (inferred nonce action and parameter). It fails to call current_user_can().
  5. Sink (Storage): The handler iterates through $_POST['settings'] and saves them using update_option('lae_settings', ...).
  6. Sink (Output): When an Administrator visits the settings page (slug: lae-settings), the plugin retrieves the option and echoes the malicious value inside an HTML attribute (e.g., <input value="[XSS]">) without using esc_attr().

4. Nonce Acquisition Strategy

The vulnerability description explicitly mentions that the nonce is leaked via improper access control on settings pages.

  1. Identify Settings Page: The plugin settings page slug is likely lae-settings.
  2. Access as Subscriber: Navigate to /wp-admin/admin.php?page=lae-settings using a Subscriber session.
  3. Extract Nonce:
    • The nonce is likely localized via wp_localize_script.
    • Use browser_navigate to the settings page.
    • Use browser_eval to find the nonce: browser_eval("window.lae_settings_vars?.lae_admin_nonce") (inferred JS object name).
    • Alternatively, check for a hidden input: browser_eval("document.querySelector('#lae_settings_nonce')?.value").

5. Exploitation Strategy

  1. Setup: Create a Subscriber user and log in.
  2. Nonce Retrieval: Access the settings page as the Subscriber and extract the security or nonce parameter.
  3. Injection: Send a crafted AJAX request to modify a checkbox setting with an XSS payload.
    • Tool: http_request
    • Method: POST
    • URL: http://[target]/wp-admin/admin-ajax.php
    • Body (URL-encoded):
      action=lae_admin_ajax
&security=[EXTRACTED_NONCE]
&settings[some_widget_checkbox]="><script>alert(document.domain)</script>
    • Content-Type: application/x-www-form-urlencoded
  4. Trigger: Log in as an Administrator and navigate to the plugin settings page.

6. Test Data Setup

  1. User: Create a user with the subscriber role.
  2. Plugin Configuration: Ensure the Livemesh Addons for Elementor plugin (v9.0 or below) is active.
  3. Page Creation: (Optional) If the settings page is not directly accessible, check if the nonce is available on the dashboard or any page where the plugin enqueues admin scripts.

7. Expected Results

  • The AJAX request should return a success status (e.g., {"success": true}).
  • When the Administrator views the settings page, the browser should execute the alert(document.domain) payload.
  • The HTML source of the settings page should show the payload breaking out of an attribute: <input ... value=""><script>alert(document.domain)</script>" ...>.

8. Verification Steps

  1. Database Check: Use WP-CLI to verify the stored option:
    wp option get lae_settings --format=json
    Check if the injected string is present in the output.
  2. Response Check: Verify the http_request response for the AJAX call contains a successful status code and JSON body.
  3. Visual Confirmation: Use browser_navigate as an Admin to the settings page and use browser_eval to check for the existence of the injected script or the alert.

9. Alternative Approaches

  • Payload Variations: If " is filtered, try ' or a tag-based breakout: </label><script>alert(1)</script>.
  • Different Settings: The description mentions "multiple checkbox settings." If one field is sanitized, try others (e.g., settings for specific Elementor widgets like "Accordion" or "Post Grid").
  • Nonce Action Guessing: If the settings page is unreachable even with improper AC, check the frontend source code. Sometimes admin-ajax nonces are inadvertently leaked on the frontend if the plugin shares logic between contexts. Look for lae_ prefixed variables in the browser console.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Livemesh Addons for Elementor plugin fails to perform authorization checks in its lae_admin_ajax() handler and improperly allows low-privileged users to access the settings page where nonces are exposed. This enables authenticated attackers (Subscriber+) to modify plugin settings and inject malicious scripts into checkbox fields, leading to Stored Cross-Site Scripting (XSS) that executes when an administrator visits the configuration panel.

Vulnerable Code

// File: includes/admin/class-lae-admin-settings.php
public function lae_admin_ajax() {
    // Nonce check is present, but the nonce is leaked to Subscribers via improper access control on settings pages
    check_ajax_referer('lae-admin-settings-nonce', 'security');

    // BUG: Missing capability check like current_user_can('manage_options')
    if (isset($_POST['settings'])) {
        $settings = $_POST['settings'];
        // BUG: Settings are saved without sanitization
        update_option('lae_settings', $settings);
    }
    wp_send_json_success();
}

---

// File: includes/admin/views/settings-display.php
// Inferred location where settings are rendered
foreach ($settings as $id => $val) {
    // BUG: $val is echoed into the value attribute without esc_attr()
    echo '<input type="checkbox" name="settings[' . $id . ']" value="' . $val . '" ' . checked($val, 1, false) . ' />';
}

Security Fix

--- a/includes/admin/class-lae-admin-settings.php
+++ b/includes/admin/class-lae-admin-settings.php
@@ -10,6 +10,10 @@
 public function lae_admin_ajax() {
     check_ajax_referer('lae-admin-settings-nonce', 'security');
 
+    if (!current_user_can('manage_options')) {
+        wp_send_json_error(__('Unauthorized access.', 'addons-for-elementor'), 403);
+    }
+
     if (isset($_POST['settings'])) {
-        $settings = $_POST['settings'];
+        $settings = map_deep($_POST['settings'], 'sanitize_text_field');
         update_option('lae_settings', $settings);
     }
--- a/includes/admin/views/settings-display.php
+++ b/includes/admin/views/settings-display.php
@@ -25,1 +25,1 @@
-    echo '<input type="checkbox" name="settings[' . $id . ']" value="' . $val . '" ' . checked($val, 1, false) . ' />';
+    echo '<input type="checkbox" name="settings[' . esc_attr($id) . ']" value="' . esc_attr($val) . '" ' . checked($val, 1, false) . ' />';

Exploit Outline

The exploit targets the missing capability check in the `lae_admin_ajax` handler combined with improper access control on the plugin's settings page. An attacker follows these steps: 1. Authenticate as a Subscriber-level user. 2. Access the plugin settings page (typically `/wp-admin/admin.php?page=lae-settings`), which is accessible to Subscribers due to missing capability checks on the menu registration. 3. Extract the `lae-admin-settings-nonce` from the page source or the `lae_settings_vars` JavaScript object. 4. Send a POST request to `/wp-admin/admin-ajax.php` with `action=lae_admin_ajax`, the extracted nonce in the `security` parameter, and a payload targeting a checkbox field (e.g., `settings[some_checkbox]="><script>alert(document.domain)</script>`). 5. The payload is stored in the database via `update_option`. 6. The XSS triggers whenever an Administrator visits the Livemesh Addons settings page, as the injected script breaks out of the `value` attribute of the checkbox input.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/24b9bf5a-19ac-4e99-b32d-1ab681356a1b?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database