📄 Description (English)
The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which uses an inadequate `str_replace()` approach that can be bypassed using recursive directory traversal patterns. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the attacker to include and execute local files via the widget's template parameter granted they can trick an administrator into performing an action or install Elementor.
🤖 AI Executive Summary
CVE-2026-1620 is a Local File Inclusion (LFI) vulnerability in Livemesh Addons for Elementor WordPress plugin affecting all versions up to 9.0. Authenticated attackers with Contributor-level access can bypass insufficient path sanitization using recursive directory traversal to include and execute arbitrary files on the server. With CVSS 8.8 and no patch currently available, this poses significant risk to WordPress installations using this plugin across Saudi organizations.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 22, 2026 10:26
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations using WordPress with Livemesh Addons for Elementor, particularly affecting: (1) E-commerce and retail sector websites managing customer data; (2) Government and municipal websites using WordPress for public services; (3) Healthcare providers with patient information systems; (4) Financial services and fintech companies; (5) Media and publishing organizations. The risk is elevated in Saudi Arabia due to widespread WordPress adoption for business websites and the potential for attackers to access sensitive data, execute malicious code, or establish persistent backdoors on affected servers.
🏢 Affected Saudi Sectors
E-commerce and Retail
Government and Public Administration
Healthcare and Medical Services
Financial Services and Banking
Media and Publishing
Telecommunications
Education
Hospitality and Tourism
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all WordPress installations to identify if Livemesh Addons for Elementor is installed and active
2. Restrict Contributor-level access: Review user roles and remove unnecessary Contributor permissions; limit to Editor/Admin only
3. Disable the plugin immediately if not critical to operations
COMPENSATING CONTROLS (until patch available):
1. Implement Web Application Firewall (WAF) rules to block directory traversal patterns (../, ..\, recursive patterns)
2. Apply strict file permissions: Set WordPress directories to 755 and files to 644
3. Disable PHP execution in wp-content/uploads and other non-essential directories via .htaccess or nginx configuration
4. Monitor file access logs for suspicious template parameter requests
5. Implement Content Security Policy (CSP) headers to restrict file inclusion sources
DETECTION RULES:
1. Monitor POST/GET requests containing 'lae_get_template_part' with directory traversal patterns (../, encoded variants)
2. Alert on file inclusion attempts targeting sensitive files (/etc/passwd, wp-config.php, .env)
3. Track unexpected PHP execution in upload directories
4. Monitor for unusual file access patterns from web server process
PATCHING GUIDANCE:
1. Monitor Livemesh plugin repository for security updates
2. Subscribe to WordPress security mailing lists
3. When patch is released, test in staging environment before production deployment
4. Consider alternative plugins with better security track records if patch is delayed
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات WordPress للتحقق من تثبيت وتفعيل إضافة Livemesh Addons for Elementor
2. تقييد وصول مستوى المساهم: مراجعة أدوار المستخدمين وإزالة أذونات المساهم غير الضرورية؛ تقصير الوصول على المحررين/المسؤولين فقط
3. تعطيل الإضافة فوراً إذا لم تكن حرجة للعمليات
الضوابط التعويضية (حتى توفر التصحيح):
1. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحجب أنماط اجتياز الدليل (../, ..\, الأنماط العودية)
2. تطبيق أذونات ملفات صارمة: تعيين دلائل WordPress إلى 755 والملفات إلى 644
3. تعطيل تنفيذ PHP في wp-content/uploads والدلائل غير الأساسية الأخرى عبر .htaccess أو إعدادات nginx
4. مراقبة سجلات الوصول إلى الملفات للطلبات المريبة لمعاملات القالب
5. تنفيذ رؤوس سياسة أمان المحتوى (CSP) لتقييد مصادر إدراج الملفات
قواعد الكشف:
1. مراقبة طلبات POST/GET التي تحتوي على 'lae_get_template_part' مع أنماط اجتياز الدليل (../, المتغيرات المشفرة)
2. التنبيه على محاولات إدراج الملفات التي تستهدف الملفات الحساسة (/etc/passwd, wp-config.php, .env)
3. تتبع تنفيذ PHP غير المتوقع في دلائل التحميل
4. مراقبة أنماط الوصول إلى الملفات غير العادية من عملية خادم الويب
إرشادات التصحيح:
1. مراقبة مستودع إضافة Livemesh للتحديثات الأمنية
2. الاشتراك في قوائم البريد الأمنية لـ WordPress
3. عند إصدار التصحيح، اختبر في بيئة التدريج قبل نشر الإنتاج
4. فكر في الإضافات البديلة ذات سجلات أمان أفضل إذا تأخر التصحيح
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures
A.6.1.1 - Access Control Policy
A.6.2.1 - User Registration and De-registration
A.8.2.1 - Classification of Information
A.8.2.3 - Handling of Assets
A.12.2.1 - Restrictions on Software Installation
A.12.4.1 - Event Logging
A.12.4.3 - Administrator and Operator Logs
A.14.2.1 - Secure Development Policy
🔵 SAMA CSF
ID.AM-2 - Software Inventory
PR.AC-1 - Access Control Policy
PR.AC-4 - Access Rights Management
PR.DS-2 - Data Security
PR.PT-1 - Security Architecture
DE.CM-1 - Network Monitoring
DE.CM-3 - Personnel Activity Monitoring
RS.MI-2 - Incident Response Procedures
🟡 ISO 27001:2022
A.5.1.1 - Information Security Policies
A.6.1.1 - Access Control Policy
A.6.2.1 - User Registration and De-registration
A.8.1.1 - Inventory of Assets
A.8.2.3 - Handling of Assets
A.12.2.1 - Restrictions on Software Installation
A.12.4.1 - Event Logging
A.14.2.1 - Secure Development Policy
A.14.2.5 - Secure Development Environment
🟣 PCI DSS v4.0.1
Requirement 1.1 - Firewall Configuration Standards
Requirement 2.2.4 - Configure System Security Parameters
Requirement 6.2 - Ensure Security Patches Installed
Requirement 6.5.1 - Injection Flaws
Requirement 10.2 - Implement Automated Audit Trails
Requirement 10.3 - Protect Audit Trail History
🔗 References & Sources 5
🔗
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/includes/helpe...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/includes/helpe...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/includes/helper-f...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/includes/helper-f...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/2483875a-84de-4a40-a69e-aee68...
security@wordfence.com