CVE-2026-1572 Overview
The Livemesh Addons for Elementor plugin for WordPress contains a combination of missing authorization checks and stored Cross-Site Scripting (XSS) vulnerabilities affecting all versions up to and including 9.0. The vulnerability exists in the AJAX handler lae_admin_ajax() which lacks proper authorization checks, combined with insufficient output escaping on multiple checkbox settings fields. This allows authenticated attackers with Subscriber-level access or higher to inject malicious scripts into the plugin's settings page.
Critical Impact
Authenticated attackers can inject arbitrary web scripts that execute whenever an administrator accesses the plugin settings page, potentially leading to account takeover, data theft, or further site compromise.
Affected Products
- Livemesh Addons for Elementor plugin versions up to and including 9.0
- WordPress installations using the vulnerable plugin versions
- Sites with user registration enabled (Subscriber-level access required)
Discovery Timeline
- April 16, 2026 - CVE CVE-2026-1572 published to NVD
- April 16, 2026 - Last updated in NVD database
Technical Details for CVE-2026-1572
Vulnerability Analysis
This vulnerability combines two distinct security weaknesses: broken access control (CWE-79) and stored Cross-Site Scripting. The lae_admin_ajax() function processes AJAX requests without verifying whether the requesting user has administrative privileges. While nonce verification may be present, it only confirms the request originated from a logged-in user—not that the user is authorized to modify plugin settings.
The second component involves insufficient output escaping on checkbox settings fields. When administrators view the settings page, injected content is rendered without proper sanitization, executing arbitrary JavaScript in the context of the administrator's session.
Root Cause
The root cause stems from two security failures in the plugin architecture. First, the AJAX handler at admin-ajax.php processes settings modifications without proper capability checks (such as current_user_can('manage_options')). Second, the settings rendering code at settings.php fails to escape checkbox field values before outputting them to the HTML page.
The nonce used for CSRF protection can be obtained by attackers through the plugin's improper access control on settings pages, which inadvertently exposes the nonce to users with Subscriber-level access who should not have visibility into these admin interfaces.
Attack Vector
The attack requires network access and low-privilege authentication (Subscriber-level). An attacker must first obtain a valid nonce, which is possible due to the improper access control that leaks nonces to unauthorized users. Once the nonce is obtained, the attacker can craft AJAX requests to the lae_admin_ajax() endpoint to inject malicious JavaScript payloads into checkbox settings fields.
When an administrator subsequently visits the plugin settings page, the stored XSS payload executes in their browser context. This can lead to session hijacking, creation of rogue administrator accounts, installation of malicious plugins, or exfiltration of sensitive site data.
The vulnerability is particularly concerning because it affects sites that allow user registration, which is common for membership sites, e-commerce stores, and community platforms using WordPress.
Detection Methods for CVE-2026-1572
Indicators of Compromise
- Unexpected JavaScript code or HTML tags present in plugin settings values
- AJAX requests to WordPress admin-ajax.php with action parameter targeting lae_admin_ajax from non-administrator users
- Suspicious user accounts with Subscriber role making repeated requests to plugin settings endpoints
- Unauthorized modifications to Livemesh Addons for Elementor configuration options
Detection Strategies
- Monitor WordPress admin-ajax.php access logs for requests from low-privilege users attempting to access plugin settings endpoints
- Implement Web Application Firewall (WAF) rules to detect XSS payloads in POST data targeting the vulnerable AJAX handler
- Review database entries in wp_options table for the plugin's settings, checking for suspicious JavaScript or script tags
- Deploy endpoint detection to identify anomalous behavior patterns from authenticated WordPress users
Monitoring Recommendations
- Enable detailed logging for WordPress AJAX requests including user ID and capability level
- Configure alerts for settings changes initiated by non-administrator users
- Implement Content Security Policy headers to mitigate XSS impact if exploitation occurs
- Regularly audit user roles and remove unnecessary Subscriber accounts
How to Mitigate CVE-2026-1572
Immediate Actions Required
- Update Livemesh Addons for Elementor to a patched version beyond 9.0 when available
- Audit existing plugin settings for any suspicious JavaScript or HTML content
- Review user accounts with Subscriber role or higher and remove any unauthorized or suspicious accounts
- Temporarily disable user registration if not strictly required until patch is applied
Patch Information
Check the Wordfence Vulnerability Report for the latest patch status and remediation guidance. The vulnerability affects versions up to and including 9.0, so ensure you update to a version that addresses both the authorization bypass and output escaping issues. Review the WordPress Plugin Code to verify the fix has been implemented in newer versions.
Workarounds
- Restrict access to wp-admin for Subscriber-level users using a security plugin or .htaccess rules
- Implement capability checks at the server level using custom code or security plugins to block unauthorized AJAX requests
- Use a Web Application Firewall to filter requests containing XSS payloads targeting the vulnerable endpoint
- Disable user registration temporarily until an official patch is available
# Add to .htaccess to restrict admin-ajax.php access for specific actions
# Note: This is a temporary workaround and may affect other functionality
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} admin-ajax\.php
RewriteCond %{QUERY_STRING} action=lae_admin_ajax [OR]
RewriteCond %{HTTP:X-Requested-With} !^XMLHttpRequest$
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
