CVE-2026-1572 is a stored cross-site scripting vulnerability in the Livemesh Addons for Elementor WordPress plugin affecting all versions up to 9.0. The issue stems from missing authorization checks on the AJAX handler `lae_admin_ajax()` and inadequate output escaping on multiple checkbox settings fields. This allows authenticated users with Subscriber-level privileges or above to inject arbitrary scripts into plugin settings. These scripts execute in the context of administrators accessing the settings page if a valid nonce is obtained, which can be leaked due to improper access control. The vulnerability has a CVSS 3.1 base score of 6.4 (medium severity), indicating a network attack vector with low attack complexity and privileges required, no user interaction, and impacts confidentiality and integrity with no availability impact. No patch or official remediation is currently documented.

An attacker with Subscriber-level access or higher can exploit this vulnerability to inject and store malicious scripts in the plugin settings page. These scripts execute when an administrator accesses the settings page, potentially leading to unauthorized data modification and compromise of administrator session or privileges. The impact affects confidentiality and integrity but does not affect availability. Exploitation requires obtaining a valid nonce, which may be leaked due to improper access control. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Subscriber-level access to trusted users only and monitor for suspicious activity related to plugin settings. Administrators should be cautious when accessing plugin settings pages and consider limiting access to these pages. Follow vendor communications for updates on patches or official mitigations.