The vulnerability in Happy Addons for Elementor arises from an Insecure Direct Object Reference (IDOR) in the admin action handler 'ha_duplicate_thing'. The can_clone() method verifies only that the user has the generic capability 'edit_posts', but it fails to confirm that the user has edit permission for the specific target post. Additionally, the nonce is bound to the generic action name instead of the post ID. This allows any authenticated user with Contributor-level privileges or higher to obtain a valid clone nonce from their own posts, change the post_id parameter, and clone any published post, page, or custom post type. The clone operation copies the full post content, all metadata including potentially sensitive widget configurations and API tokens, and taxonomies into a new draft owned by the attacker, leading to confidential data exposure and content tampering. This flaw is identified as CWE-639.

All installed instances of the Happy Addons for Elementor plugin for WordPress up to and including version 3.21.0, provided by the vendor thehappymonster, are affected. The plugin versions 3.21.1 and newer are not impacted.

The CVSS score is 5.4, indicating moderate severity; the EPSS score is below 1%, implying a low probability of exploitation in the wild at present. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated and possess at least Contributor-level capabilities to exploit the issue. They can simply retrieve a clone nonce from one of their own posts and modify the post_id parameter to target an arbitrary post. Once cloned, the attacker can publish or edit the newly created draft, potentially escalating the damage. Because no privilege escalation is involved, the threat is primarily to confidentiality and integrity of content rather than system access.