{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39636", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:43.490Z", "datePublished": "2026-04-08T08:30:30.492Z", "dateUpdated": "2026-04-08T08:30:30.492Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "addons-for-elementor", "product": "Livemesh Addons for Elementor", "vendor": "livemesh", "versions": [{"lessThanOrEqual": "9.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jitlada | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:35.579Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in livemesh Livemesh Addons for Elementor addons-for-elementor allows Stored XSS.<p>This issue affects Livemesh Addons for Elementor: from n/a through <= 9.0.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in livemesh Livemesh Addons for Elementor addons-for-elementor allows Stored XSS.This issue affects Livemesh Addons for Elementor: from n/a through <= 9.0."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:30.492Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/addons-for-elementor/vulnerability/wordpress-livemesh-addons-for-elementor-plugin-9-0-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Livemesh Addons for Elementor plugin <= 9.0 - Cross Site Scripting (XSS) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in livemesh Livemesh Addons for Elementor addons-for-elementor allows Stored XSS.This issue affects Livemesh Addons for Elementor: from n/a through <= 9.0."}], "id": "CVE-2026-39636", "lastModified": "2026-04-08T09:16:34.270", "metrics": {}, "published": "2026-04-08T09:16:34.270", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/addons-for-elementor/vulnerability/wordpress-livemesh-addons-for-elementor-plugin-9-0-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-08T10:10:43.213611+00:00", "value": {"mitigation_remediation": ["Update the Livemesh Addons for Elementor plugin to the latest version that contains the fix.", "If an update is not immediately available, disable the plugin until a patched version is released.", "Review any existing content that may contain injected scripts and remove or sanitize it.", "Monitor the vendor\u2019s security advisories for further information or new updates."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting risk"}, "threat_synthesis": {"affected_systems": "The affected product is the Livemesh Addons for Elementor WordPress plugin, versions up to and including 9.0. All releases from the earliest available version through 9.0 are vulnerable. WordPress site owners who use this plugin should verify their plugin version and plan an upgrade.", "description_and_impact": "An improper neutralization of input during web page generation results in a stored cross\u2011site scripting vulnerability in the Livemesh Addons for Elementor plugin. This flaw can allow an attacker to inject malicious scripts that are retained in the site\u2019s content and later executed in the browser of any visitor. The vulnerability is categorized as CWE\u201179 and can lead to theft of user credentials, session hijacking, or defacement of the site.", "risk_and_exploitability": "The CVSS score is not disclosed, and EPSS data is unavailable, so the objective severity is unclear. However, stored XSS typically requires the ability to submit or modify content, suggesting that an authenticated user with content\u2011creation rights could exploit it. No publicly known exploit is listed, and the vulnerability is not in the CISA KEV catalog. Nevertheless, because of the potential impact on confidentiality and integrity for site visitors, administrators should treat the issue with moderate to high risk and act promptly."}}}}, "created": "2026-04-08T19:41:39.111049+00:00", "updated": "2026-04-08T19:41:39.111075+00:00", "vendors": []}