Elementor Addon Vulnerability Exposes WordPress Sites to RCE

A critical local file inclusion (LFI) vulnerability, tracked as CVE-2026-1620, has been identified in the Livemesh Addons for Elementor plugin for WordPress. According to the National Vulnerability Database, all plugin versions up to and including 9.0 are affected. This flaw stems from insufficient input sanitization within the lae_get_template_part() function, where a bypassable str_replace() approach fails to adequately protect against recursive directory traversal patterns.

The vulnerability enables authenticated attackers with Contributor-level access or higher to include and execute arbitrary files on the server. The attack vector leverages the widget’s template parameter, allowing an attacker to achieve local file execution. A successful exploit typically requires tricking an administrator into performing a specific action or installing Elementor, paving the way for potential full compromise of the affected WordPress instance.

The National Vulnerability Database has assigned CVE-2026-1620 a CVSS score of 8.8, classifying it as HIGH severity. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H highlights the network-based attack vector, low attack complexity, low privileges required, and no user interaction needed for a successful exploit, leading to high impacts on confidentiality, integrity, and availability. This is a classic CWE-98 situation, where code injection via file inclusion is the name of the game.