Livemesh Addons for Elementor Missing Authorization Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Livemesh Addons for Elementor WordPress plugin, affecting all versions through 9.0. The issue arises from inadequate authorization checks in the AJAX handler 'lae_admin_ajax()' and insufficient output escaping in several checkbox settings fields. This vulnerability allows authenticated attackers with Subscriber-level access or higher to inject arbitrary scripts into the plugin settings, which are executed when an administrator accesses the settings page. Exploitation requires a valid nonce, which can be obtained through the plugin's flawed access controls on settings pages.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user accessing the plugin settings.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can inject scripts into the plugin settings via the 'lae_admin_ajax()' AJAX handler. This can be done by exploiting the lack of authorization checks and the improper output escaping on checkbox settings fields. Once the scripts are injected, they will execute when an administrator visits the plugin settings page.

Remediation

No patch is currently available. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.