CVE-2026-1620
Published: 16 April 2026
Summary
CVE-2026-1620 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-1620 is a Local File Inclusion vulnerability (CWE-98) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) affecting the Livemesh Addons for Elementor plugin for WordPress in all versions up to and including 9.0. The flaw arises from insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which relies on an inadequate `str_replace()` approach vulnerable to bypass via recursive directory traversal patterns.
Authenticated attackers with Contributor-level access or higher can exploit this vulnerability to include and execute arbitrary local files on the server through the widget's template parameter. Successful exploitation requires tricking an administrator into performing an action or installing Elementor.
Advisories reference specific code locations in the plugin's `includes/helper-functions.php` file, including lines 669 and 671 in the 9.0 tag and trunk versions, available via WordPress plugin trac. Additional details are provided in Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/2483875a-84de-4a40-a69e-aee68da1ce3b?source=cve.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23205
Vulnerability details
The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which uses an…
more
inadequate `str_replace()` approach that can be bypassed using recursive directory traversal patterns. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the attacker to include and execute local files via the widget's template parameter granted they can trick an administrator into performing an action or install Elementor.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI in public-facing WordPress plugin directly enables remote code execution via arbitrary local file inclusion (T1190) and PHP command/script execution (T1059.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the template name parameter to prevent local file inclusion via recursive directory traversal bypassing inadequate str_replace sanitization.
Mandates timely remediation of the specific flaw in lae_get_template_part() function within the Livemesh plugin by applying vendor patches.
Enforces restrictions on the widget's template parameter inputs to limit traversal payloads and unauthorized local file access.