CVE-2026-1620 is a Local File Inclusion vulnerability in the Livemesh Addons for Elementor WordPress plugin affecting all versions up to 9.0. The issue arises from insufficient sanitization of the template name parameter in the lae_get_template_part() function, which uses an inadequate str_replace() method that can be bypassed using recursive directory traversal. Authenticated attackers with Contributor-level privileges or higher can exploit this flaw to include and execute arbitrary local files on the server. This vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement). The CVSS v3.1 base score is 8.8, indicating high severity with network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability. No vendor advisory or patch is currently available, and no known exploits have been reported in the wild.

Successful exploitation allows an authenticated user with Contributor-level access or above to include and execute arbitrary local files on the server hosting the vulnerable WordPress plugin. This can lead to full compromise of the affected system, including disclosure, modification, or destruction of data and potential server takeover. The vulnerability impacts confidentiality, integrity, and availability of the system. However, exploitation requires authentication and some user interaction or tricking an administrator, limiting the attack surface.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Contributor-level access to trusted users only and monitor for suspicious activity related to template parameter usage. Avoid installing untrusted plugins or updates from unofficial sources. Consider disabling or limiting the use of the vulnerable plugin if possible.