CVE-2026-39636

MEDIUM

WordPress Livemesh Addons for Elementor plugin <= 9.0 - Cross Site Scripting (XSS) vulnerability

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-39636. PoCs published by CatchCatOoO.

AI-analyzed exploit summary The repository contains a functional exploit for CVE-2026-39636, leveraging a WebSocket-based vulnerability in a Vite.js development server to achieve arbitrary file read via a crafted 'vite:invoke' message. The script includes detailed WebSocket handshake handling, proxy support, and payload delivery mechanisms.

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in livemesh Livemesh Addons for Elementor addons-for-elementor allows Stored XSS.This issue affects Livemesh Addons for Elementor: from n/a through <= 9.0.

Exploits (1)

github WORKING POC

by CatchCatOoO · pythonpoc

https://github.com/CatchCatOoO/CVE-2026-39636-vulnerability-exp

View Code ZIP pw:eip

The repository contains a functional exploit for CVE-2026-39636, leveraging a WebSocket-based vulnerability in a Vite.js development server to achieve arbitrary file read via a crafted 'vite:invoke' message. The script includes detailed WebSocket handshake handling, proxy support, and payload delivery mechanisms.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Vite.js development server (version unspecified)

No auth needed

Prerequisites: Access to the target Vite.js development server on port 5173 · WebSocket connectivity to the target · Burp Suite or similar proxy for TLS interception (optional)

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed May 18, 2026 Full analysis →

References (1)

Core 1

Core References

Vdb Entry vdb-entry

https://patchstack.com/database/Wordpress/Plugin/addons-for-elementor/vulnerability/wordpress-livemesh-addons-for-elementor-plugin-9-0-cross-site-scripting-xss-vulnerability?_s_id=cve

Scores

CVSS v3 6.5

EPSS 0.0004

EPSS Percentile 12.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

livemesh/Livemesh Addons for Elementor < 9.0

Published Apr 08, 2026

Tracked Since Apr 08, 2026