The vulnerability is a missing authorization flaw that allows attackers to bypass configured access control limits in the Happy Addons for Elementor WordPress plugin. Because the plugin fails to enforce proper permissions, an individual with limited site access could invoke privileged functions, potentially compromising confidential content or integrating malicious code. The weakness is classified under CWE‑862, indicating that the software does not validate that the user has the necessary rights before performing the action.

The affected product is HappyMonster’s Happy Addons for Elementor. All releases up to and including version 3.20.3 are impacted; any installation of the plugin that has not yet been updated beyond 3.20.3 remains vulnerable.

Based on the description, it is inferred that attackers would need to access the site over the network. The CVSS score of 4.3 places the vulnerability in the low‑to‑medium severity range, and the EPSS score of less than 1% indicates a very low probability of exploit. The vulnerability is not listed in the CISA KEV catalog, suggesting it is not actively exploited on a large scale. Attackers would need to access the site over the network, and the flaw appears to be exploitable by anyone able to reach the plugin’s administrative interfaces, possibly even unauthenticated users if the plugin’s routes are not protected. Overall, the risk is considered moderate due to the potential for unauthorized content manipulation, but the likelihood of a real-world attack remains small.