Vulnerabilities and security researches foraddons-for-elementor addons-for-elementor

Direction: ascending

Jun 07, 2024

Elementor Addons by Livemesh # CVE-2021-24260

CVE, Research URL: CVE-2021-24260
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: May 06, 2021
Research Description: The “Livemesh Addons for Elementor” WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
Affected versions: max 2.6.
Status: vulnerable

Elementor Addons by Livemesh # CVE-2022-3862

CVE, Research URL: CVE-2022-3862
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: Dec 12, 2022
Research Description: The Livemesh Addons for Elementor WordPress plugin before 7.2.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Affected versions: max 7.9.
Status: vulnerable

Elementor Addons by Livemesh # CVE-2024-2539

CVE, Research URL: CVE-2024-2539
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: Apr 10, 2024
Research Description: The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget '_id' attributes in all versions up to, and including, 8.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 8.3.7.
Status: vulnerable

Elementor Addons by Livemesh # CVE-2024-1464

CVE, Research URL: CVE-2024-1464
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: Apr 10, 2024
Research Description: The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ attribute of the Posts Slider widget in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 8.3.6.
Status: vulnerable

Elementor Addons by Livemesh # CVE-2024-27986

CVE, Research URL: CVE-2024-27986
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: Mar 14, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Livemesh Elementor Addons by Livemesh allows Stored XSS.This issue affects Elementor Addons by Livemesh: from n/a through 8.3.5.
Affected versions: max 8.3.6.
Status: vulnerable

Elementor Addons by Livemesh # CVE-2024-2655

CVE, Research URL: CVE-2024-2655
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: Apr 10, 2024
Research Description: The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Post widgets in all versions up to, and including, 8.3.5 due to insufficient input sanitization and output escaping on author display names. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 8.3.7.
Status: vulnerable

Elementor Addons by Livemesh # CVE-2024-1465

CVE, Research URL: CVE-2024-1465
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: Apr 10, 2024
Research Description: The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘carousel_skin’ attribute of the Posts Carousel widget in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 8.3.6.
Status: vulnerable

Elementor Addons by Livemesh # CVE-2024-1458

CVE, Research URL: CVE-2024-1458
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: Apr 10, 2024
Research Description: The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘text_alignment’ attribute of the Animated Text widget in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 8.3.6.
Status: vulnerable

Elementor Addons by Livemesh # CVE-2024-25598

CVE, Research URL: CVE-2024-25598
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: Mar 15, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Livemesh Livemesh Addons for Elementor allows Stored XSS.This issue affects Livemesh Addons for Elementor: from n/a through 8.3.
Affected versions: max 8.3.1.
Status: vulnerable

Elementor Addons by Livemesh # CVE-2024-1466

CVE, Research URL: CVE-2024-1466
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: Apr 10, 2024
Research Description: The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slider_style’ attribute of the Posts Multislider widget in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-27986 may be a duplicate of this issue.
Affected versions: max 8.3.6.
Status: vulnerable

Elementor Addons by Livemesh # CVE-2024-0448

CVE, Research URL: CVE-2024-0448
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: Feb 06, 2024
Research Description: The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widget URL parameters in all versions up to, and including, 8.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 8.3.2.
Status: vulnerable

Elementor Addons by Livemesh # CVE-2024-1235

CVE, Research URL: CVE-2024-1235
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: Feb 29, 2024
Research Description: The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom class field in all versions up to, and including, 8.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 8.3.3.
Status: vulnerable

Elementor Addons by Livemesh # CVE-2024-1461

CVE, Research URL: CVE-2024-1461
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: Apr 10, 2024
Research Description: The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ attribute of the Team Members widget in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 8.3.6.
Status: vulnerable

Jul 04, 2024

Elementor Addons by Livemesh # CVE-2024-2926

CVE, Research URL: CVE-2024-2926
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: Jul 04, 2024
Research Description: The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 8.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 8.4.
Status: vulnerable

Elementor Addons by Livemesh # CVE-2024-3638

CVE, Research URL: CVE-2024-3638
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: Jul 04, 2024
Research Description: The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Marquee Text Widget, Testimonials Widget, and Testimonial Slider widgets in all versions up to, and including, 8.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 8.4.2.
Status: vulnerable

Elementor Addons by Livemesh # CVE-2024-2385

CVE, Research URL: CVE-2024-2385
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: Jul 04, 2024
Research Description: The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.3.7 via several of the plugin's widgets through the 'style' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Affected versions: max 8.4.1.
Status: vulnerable

Elementor Addons by Livemesh # CVE-2024-3639

CVE, Research URL: CVE-2024-3639
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: Jul 04, 2024
Research Description: The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Posts Grid widget in all versions up to, and including, 8.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 8.4.
Status: vulnerable

Jul 08, 2024

Elementor Addons by Livemesh # CVE-2024-37547

CVE, Research URL: CVE-2024-37547
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: Jul 06, 2024
Research Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Livemesh Livemesh Addons for Elementor.This issue affects Livemesh Addons for Elementor: from n/a through 8.4.0.
Affected versions: max 8.3.7.
Status: vulnerable

Sep 26, 2024

Elementor Addons by Livemesh # CVE-2024-8858

CVE, Research URL: CVE-2024-8858
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: Sep 25, 2024
Research Description: The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘piechart_settings’ parameter in all versions up to, and including, 8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 8.5.1.
Status: vulnerable

Elementor Addons by Livemesh # CVE-2024-47303

CVE, Research URL: CVE-2024-47303
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: Sep 25, 2024
Research Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Livemesh Livemesh Addons for Elementor allows Stored XSS.This issue affects Livemesh Addons for Elementor: from n/a through 8.5.
Affected versions: max 8.5.1.
Status: vulnerable

Nov 15, 2024

Elementor Addons by Livemesh # CVE-2022-4974

CVE, Research URL: CVE-2022-4974
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: Oct 16, 2024
Research Description: The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions: max 7.1.4.
Status: vulnerable

Apr 13, 2026

Elementor Addons by Livemesh # CVE-2026-39636

CVE, Research URL: CVE-2026-39636
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: Apr 08, 2026
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in livemesh Livemesh Addons for Elementor addons-for-elementor allows Stored XSS.This issue affects Livemesh Addons for Elementor: from n/a through <= 9.0.
Affected versions: max 9.0.
Status: vulnerable

Apr 17, 2026

Elementor Addons by Livemesh # CVE-2026-1620

CVE, Research URL: CVE-2026-1620
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: Apr 16, 2026
Research Description: The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which uses an inadequate `str_replace()` approach that can be bypassed using recursive directory traversal patterns. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the attacker to include and execute local files via the widget's template parameter granted they can trick an administrator into performing an action or install Elementor.
Affected versions: max 9.0.
Status: vulnerable

Elementor Addons by Livemesh # CVE-2026-1572

CVE, Research URL: CVE-2026-1572
Home page URL: Security reports for Elementor Addons by Livemesh
Application: Elementor Addons by Livemesh
Date: Apr 16, 2026
Research Description: The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 9.0. This is due to missing authorization checks on the AJAX handler `lae_admin_ajax()` and insufficient output escaping on multiple checkbox settings fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the plugin settings page that will execute whenever an administrator accesses the plugin settings page granted they can obtain a valid nonce, which can be leaked via the plugin's improper access control on settings pages.
Affected versions: max 9.0.
Status: vulnerable