CVE-2026-1620

Name of the Vulnerable Software and Affected Versions Livemesh Addons for Elementor versions prior to 9.1

Description The plugin is subject to Local File Inclusion due to insufficient sanitization of the template name parameter within the lae get template part() function. The implementation uses an inadequate str replace() method that can be bypassed using recursive directory traversal patterns. This allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary local files on the server by manipulating the widget's template parameter.

Recommendations Update the plugin to a version later than 9.0.