Cyber Resilience

CVE-2026-1620

High

Published: 16 April 2026

Published
16 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0082 52.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-1620 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-1620 is a Local File Inclusion vulnerability (CWE-98) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) affecting the Livemesh Addons for Elementor plugin for WordPress in all versions up to and including 9.0. The flaw arises from insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which relies on an inadequate `str_replace()` approach vulnerable to bypass via recursive directory traversal patterns.

Authenticated attackers with Contributor-level access or higher can exploit this vulnerability to include and execute arbitrary local files on the server through the widget's template parameter. Successful exploitation requires tricking an administrator into performing an action or installing Elementor.

Advisories reference specific code locations in the plugin's `includes/helper-functions.php` file, including lines 669 and 671 in the 9.0 tag and trunk versions, available via WordPress plugin trac. Additional details are provided in Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/2483875a-84de-4a40-a69e-aee68da1ce3b?source=cve.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which uses an…

more

inadequate `str_replace()` approach that can be bypassed using recursive directory traversal patterns. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the attacker to include and execute local files via the widget's template parameter granted they can trick an administrator into performing an action or install Elementor.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.003 Windows Command Shell Execution
Adversaries may abuse the Windows command shell for execution.
Why these techniques?

LFI in public-facing WordPress plugin directly enables remote code execution via arbitrary local file inclusion (T1190) and PHP command/script execution (T1059.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-58923Shared CWE-98
CVE-2025-69057Shared CWE-98
CVE-2024-54263Shared CWE-98
CVE-2026-28035Shared CWE-98
CVE-2026-28024Shared CWE-98
CVE-2025-67525Shared CWE-98
CVE-2025-22707Shared CWE-98
CVE-2025-69375Shared CWE-98
CVE-2026-22443Shared CWE-98
CVE-2025-53198Shared CWE-98

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the template name parameter to prevent local file inclusion via recursive directory traversal bypassing inadequate str_replace sanitization.

prevent

Mandates timely remediation of the specific flaw in lae_get_template_part() function within the Livemesh plugin by applying vendor patches.

prevent

Enforces restrictions on the widget's template parameter inputs to limit traversal payloads and unauthorized local file access.

References