[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fNHuODIIQT9P-vpPASBXQ_kV53LzNLWS29Z_RNj-mO1Y":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"source_links":31},"CVE-2026-1572","livemesh-addons-by-elementor-missing-authorization-to-authenticated-subscriber-stored-cross-site-scripting-via-plugin-se","Livemesh Addons by Elementor \u003C= 9.0 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via Plugin Settings","The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 9.0. This is due to missing authorization checks on the AJAX handler `lae_admin_ajax()` and insufficient output escaping on multiple checkbox settings fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the plugin settings page that will execute whenever an administrator accesses the plugin settings page granted they can obtain a valid nonce, which can be leaked via the plugin's improper access control on settings pages.","addons-for-elementor",null,"\u003C=9.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-15 17:57:15","2026-04-16 06:44:51",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F24b9bf5a-19ac-4e99-b32d-1ab681356a1b?source=api-prod",[],"researched",false,3,"This research plan outlines the steps to exploit **CVE-2026-1572**, a missing authorization and stored XSS vulnerability in the **Livemesh Addons for Elementor** plugin.\n\n---\n\n### 1. Vulnerability Summary\nThe `lae_admin_ajax()` function in the Livemesh Addons for Elementor plugin fails to implement a capability check (e.g., `current_user_can('manage_options')`). This AJAX handler is used to update plugin settings. While it likely employs a nonce for CSRF protection, the plugin also suffers from improper access control, allowing low-privileged users (Subscribers) to access the settings page where the nonce is exposed. Furthermore, settings related to checkboxes are not properly sanitized before being stored and are not escaped when rendered on the settings page, leading to Stored Cross-Site Scripting (XSS).\n\n### 2. Attack Vector Analysis\n*   **AJAX Action:** `lae_admin_ajax`\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Authentication:** Authenticated (Subscriber level or higher).\n*   **Vulnerable Parameter:** Likely a nested array in `$_POST` (e.g., `settings` or `widgets_status`) containing checkbox values.\n*   **Preconditions:**\n    1.  The attacker must have a valid Subscriber account.\n    2.  The attacker must obtain a valid nonce (leaked via the admin settings page accessible to Subscribers).\n\n### 3. Code Flow (Inferred)\n1.  **Entry:** A POST request is sent to `admin-ajax.php` with `action=lae_admin_ajax`.\n2.  **Dispatch:** WordPress executes the hook `wp_ajax_lae_admin_ajax`.\n3.  **Handler:** The function `lae_admin_ajax()` (likely in `includes\u002Fadmin\u002Fclass-lae-admin-settings.php` or similar) is called.\n4.  **Verification:** The code calls `check_ajax_referer('lae-admin-settings-nonce', 'security')` (inferred nonce action and parameter). It **fails** to call `current_user_can()`.\n5.  **Sink (Storage):** The handler iterates through `$_POST['settings']` and saves them using `update_option('lae_settings', ...)`.\n6.  **Sink (Output):** When an Administrator visits the settings page (slug: `lae-settings`), the plugin retrieves the option and echoes the malicious value inside an HTML attribute (e.g., `\u003Cinput value=\"[XSS]\">`) without using `esc_attr()`.\n\n### 4. Nonce Acquisition Strategy\nThe vulnerability description explicitly mentions that the nonce is leaked via improper access control on settings pages.\n\n1.  **Identify Settings Page:** The plugin settings page slug is likely `lae-settings`.\n2.  **Access as Subscriber:** Navigate to `\u002Fwp-admin\u002Fadmin.php?page=lae-settings` using a Subscriber session.\n3.  **Extract Nonce:**\n    -   The nonce is likely localized via `wp_localize_script`.\n    -   Use `browser_navigate` to the settings page.\n    -   Use `browser_eval` to find the nonce: `browser_eval(\"window.lae_settings_vars?.lae_admin_nonce\")` (inferred JS object name).\n    -   Alternatively, check for a hidden input: `browser_eval(\"document.querySelector('#lae_settings_nonce')?.value\")`.\n\n### 5. Exploitation Strategy\n1.  **Setup:** Create a Subscriber user and log in.\n2.  **Nonce Retrieval:** Access the settings page as the Subscriber and extract the `security` or `nonce` parameter.\n3.  **Injection:** Send a crafted AJAX request to modify a checkbox setting with an XSS payload.\n    *   **Tool:** `http_request`\n    *   **Method:** POST\n    *   **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Body (URL-encoded):**\n        ```text\n        action=lae_admin_ajax\n        &security=[EXTRACTED_NONCE]\n        &settings[some_widget_checkbox]=\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\n        ```\n    *   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n4.  **Trigger:** Log in as an Administrator and navigate to the plugin settings page.\n\n### 6. Test Data Setup\n1.  **User:** Create a user with the `subscriber` role.\n2.  **Plugin Configuration:** Ensure the Livemesh Addons for Elementor plugin (v9.0 or below) is active.\n3.  **Page Creation:** (Optional) If the settings page is not directly accessible, check if the nonce is available on the dashboard or any page where the plugin enqueues admin scripts.\n\n### 7. Expected Results\n*   The AJAX request should return a success status (e.g., `{\"success\": true}`).\n*   When the Administrator views the settings page, the browser should execute the `alert(document.domain)` payload.\n*   The HTML source of the settings page should show the payload breaking out of an attribute: `\u003Cinput ... value=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\" ...>`.\n\n### 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to verify the stored option:\n    `wp option get lae_settings --format=json`\n    Check if the injected string is present in the output.\n2.  **Response Check:** Verify the `http_request` response for the AJAX call contains a successful status code and JSON body.\n3.  **Visual Confirmation:** Use `browser_navigate` as an Admin to the settings page and use `browser_eval` to check for the existence of the injected script or the alert.\n\n### 9. Alternative Approaches\n*   **Payload Variations:** If `\"` is filtered, try `'` or a tag-based breakout: `\u003C\u002Flabel>\u003Cscript>alert(1)\u003C\u002Fscript>`.\n*   **Different Settings:** The description mentions \"multiple checkbox settings.\" If one field is sanitized, try others (e.g., settings for specific Elementor widgets like \"Accordion\" or \"Post Grid\").\n*   **Nonce Action Guessing:** If the settings page is unreachable even with improper AC, check the frontend source code. Sometimes admin-ajax nonces are inadvertently leaked on the frontend if the plugin shares logic between contexts. Look for `lae_` prefixed variables in the browser console.","The Livemesh Addons for Elementor plugin fails to perform authorization checks in its lae_admin_ajax() handler and improperly allows low-privileged users to access the settings page where nonces are exposed. This enables authenticated attackers (Subscriber+) to modify plugin settings and inject malicious scripts into checkbox fields, leading to Stored Cross-Site Scripting (XSS) that executes when an administrator visits the configuration panel.","\u002F\u002F File: includes\u002Fadmin\u002Fclass-lae-admin-settings.php\npublic function lae_admin_ajax() {\n    \u002F\u002F Nonce check is present, but the nonce is leaked to Subscribers via improper access control on settings pages\n    check_ajax_referer('lae-admin-settings-nonce', 'security');\n\n    \u002F\u002F BUG: Missing capability check like current_user_can('manage_options')\n    if (isset($_POST['settings'])) {\n        $settings = $_POST['settings'];\n        \u002F\u002F BUG: Settings are saved without sanitization\n        update_option('lae_settings', $settings);\n    }\n    wp_send_json_success();\n}\n\n---\n\n\u002F\u002F File: includes\u002Fadmin\u002Fviews\u002Fsettings-display.php\n\u002F\u002F Inferred location where settings are rendered\nforeach ($settings as $id => $val) {\n    \u002F\u002F BUG: $val is echoed into the value attribute without esc_attr()\n    echo '\u003Cinput type=\"checkbox\" name=\"settings[' . $id . ']\" value=\"' . $val . '\" ' . checked($val, 1, false) . ' \u002F>';\n}","--- a\u002Fincludes\u002Fadmin\u002Fclass-lae-admin-settings.php\n+++ b\u002Fincludes\u002Fadmin\u002Fclass-lae-admin-settings.php\n@@ -10,6 +10,10 @@\n public function lae_admin_ajax() {\n     check_ajax_referer('lae-admin-settings-nonce', 'security');\n \n+    if (!current_user_can('manage_options')) {\n+        wp_send_json_error(__('Unauthorized access.', 'addons-for-elementor'), 403);\n+    }\n+\n     if (isset($_POST['settings'])) {\n-        $settings = $_POST['settings'];\n+        $settings = map_deep($_POST['settings'], 'sanitize_text_field');\n         update_option('lae_settings', $settings);\n     }\n--- a\u002Fincludes\u002Fadmin\u002Fviews\u002Fsettings-display.php\n+++ b\u002Fincludes\u002Fadmin\u002Fviews\u002Fsettings-display.php\n@@ -25,1 +25,1 @@\n-    echo '\u003Cinput type=\"checkbox\" name=\"settings[' . $id . ']\" value=\"' . $val . '\" ' . checked($val, 1, false) . ' \u002F>';\n+    echo '\u003Cinput type=\"checkbox\" name=\"settings[' . esc_attr($id) . ']\" value=\"' . esc_attr($val) . '\" ' . checked($val, 1, false) . ' \u002F>';","The exploit targets the missing capability check in the `lae_admin_ajax` handler combined with improper access control on the plugin's settings page. An attacker follows these steps:\n1. Authenticate as a Subscriber-level user.\n2. Access the plugin settings page (typically `\u002Fwp-admin\u002Fadmin.php?page=lae-settings`), which is accessible to Subscribers due to missing capability checks on the menu registration.\n3. Extract the `lae-admin-settings-nonce` from the page source or the `lae_settings_vars` JavaScript object.\n4. Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with `action=lae_admin_ajax`, the extracted nonce in the `security` parameter, and a payload targeting a checkbox field (e.g., `settings[some_checkbox]=\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`).\n5. The payload is stored in the database via `update_option`.\n6. The XSS triggers whenever an Administrator visits the Livemesh Addons settings page, as the injected script breaks out of the `value` attribute of the checkbox input.","gemini-3-flash-preview","2026-04-16 15:22:38","2026-04-16 15:22:57",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faddons-for-elementor\u002Ftags"]