CVE-2026-1572

Name of the Vulnerable Software and Affected Versions Livemesh Addons for Elementor versions prior to 9.1

Description The plugin allows unauthorized modification of data and Stored Cross-Site Scripting (XSS) through plugin settings. This occurs because the AJAX handler lae admin ajax() lacks authorization checks and multiple checkbox settings fields have insufficient output escaping. Authenticated attackers with Subscriber-level access or higher can inject arbitrary web scripts into the plugin settings page. These scripts execute when an administrator visits the page, provided the attacker obtains a valid nonce, which may be leaked due to improper access control on settings pages.

Recommendations Update to a version later than 9.0.