CVE-2026-1210 - Vulnerability Details

- Happy Addons for Elementor <= 3.20.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via '_elementor_data' Meta Field

Description

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_elementor_data' meta field in all versions up to, and including, 3.20.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2026-02-03

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Happy Addons for Elementor plugin for WordPress is vulnerable to stored cross‑site scripting when the _elementor_data meta field is insufficiently sanitized and does not escape output. This flaw allows an authenticated user with Contributor level or higher to inject arbitrary JavaScript into a page that will execute every time any site visitor loads the page. The injected script can steal session cookies, deface content, or redirect users to malicious sites.

Affected Systems

All installations of Happy Addons for Elementor version 3.20.7 and earlier are affected. The vulnerability exists within the plugin’s widget code and is present on all WordPress sites that use these versions of the add‑on.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium severity. The EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting a low likelihood of widespread exploitation at this time. However, since the attack requires only authenticated access at the contributor level or higher, many sites might be able to attain the necessary privileges, and the stored nature of the flaw means that malicious payloads persist until an update or sanitization is applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

thehappymonster

Happy Addons for Elementor

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.20.7

No data.

Vendor	Product	Confidence	Versions
Happymonster	Happy Addons For Elementor	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Happy Addons for Elementor plugin to a version newer than 3.20.7 if a fix is available.
If an update cannot be applied immediately, revoke Contributor‑level and higher access for roles that can edit Elementor widgets, or disable the plugin entirely until a patch is released.
Configure a web application firewall or security plugin to sanitize or strip inline JavaScript inserted into the _elementor_data meta field, and routinely audit page content for unexpected scripts.

Generated by OpenCVE AI on April 15, 2026 at 18:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.4/widgets/age-gate/widget.php#L2055
https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.4/widgets/age-gate/widget.php#L2120
https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.4/widgets/svg-draw/widget.php#L732
https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/widgets/age-gate/widget.php#L2055
https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/widgets/age-gate/widget.php#L2120
https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/widgets/svg-draw/widget.php#L732
https://plugins.trac.wordpress.org/changeset/3451894/happy-elementor-addons/trunk/widgets/svg-draw/widget.php?old=3312461&old_path=happy-elementor-addons%2Ftrunk%2Fwidgets%2Fsvg-draw%2Fwidget.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/df4b554a-0336-404c-b06c-2bc98c99997d?source=cve

History

Wed, 04 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Happymonster Happymonster happy Addons For Elementor Wordpress Wordpress wordpress
Vendors & Products		Happymonster Happymonster happy Addons For Elementor Wordpress Wordpress wordpress

Tue, 03 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 03 Feb 2026 13:15:00 +0000

Type	Values Removed	Values Added
Description		The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_elementor_data' meta field in all versions up to, and including, 3.20.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		Happy Addons for Elementor <= 3.20.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via '_elementor_data' Meta Field
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.4/widgets/age-gate/widget.php#L2055 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.4/widgets/age-gate/widget.php#L2120 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.4/widgets/svg-draw/widget.php#L732 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/widgets/age-gate/widget.php#L2055 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/widgets/age-gate/widget.php#L2120 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/widgets/svg-draw/widget.php#L732 https://plugins.trac.wordpress.org/changeset/3451894/happy-elementor-addons/trunk/widgets/svg-draw/widget.php?old=3312461&old_path=happy-elementor-addons%2Ftrunk%2Fwidgets%2Fsvg-draw%2Fwidget.php https://www.wordfence.com/threat-intel/vulnerabilities/id/df4b554a-0336-404c-b06c-2bc98c99997d?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Happymonster Happy Addons For Elementor

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-02-03T06:38:04.971Z

Updated: 2026-04-08T17:28:29.873Z

Reserved: 2026-01-19T21:07:03.381Z

Link: CVE-2026-1210

Vulnrichment

Updated: 2026-02-03T15:26:03.315Z

NVD

Status : Deferred

Published: 2026-02-03T07:16:12.097

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1210

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T19:00:12Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object