Description
The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is due to the `validate_reqeust()` method using `current_user_can('edit_posts', $template_id)` instead of `current_user_can('edit_post', $template_id)` — failing to perform object-level authorization. Additionally, the `ha_get_current_condition` AJAX action lacks a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify the display conditions of any published `ha_library` template. Because the `cond_to_html()` renderer outputs condition values into HTML attributes without proper escaping (using string concatenation instead of `esc_attr()`), an attacker can inject event handler attributes (e.g., `onmouseover`) that execute JavaScript when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting.
Published: 2026-03-11
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Update Plugin
AI Analysis

Impact

The vulnerability in Happy Addons for Elementor allows an authenticated user with Contributor or higher privileges to modify the display conditions of any published "ha_library" template. The missing object‑level authorization and lack of capability checks on AJAX actions let the attacker modify conditions and inject unescaped attribute values into the template rendering. This results in a stored Cross‑Site Scripting (XSS) that is triggered when an administrator opens the Template Conditions panel, enabling the attacker to execute arbitrary JavaScript with the administrator’s privileges. The weakness corresponds to CWE‑639 (Access Control Weakness).

Affected Systems

All installations of the Happy Addons for Elementor plugin running versions up to and including 3.21.0 are affected. The plugin is distributed by thehappymonster and the vulnerability exists in the core condition‑management code of the plugin.

Risk and Exploitability

The CVSS score is 6.4, indicating a medium severity, while the EPSS score is below 1% and the vulnerability is not listed in CISA’s KEV catalog, marking it as a low probability but potentially impactful issue. Exploitation requires web‑based access to the site’s admin area and the victim merely needs any user that holds the Contributor role or higher to perform the AJAX request. The attack vector is authenticated and does not require additional privileges beyond the standard Contributor capability. If the attacker can observe an administrator viewing the conditions panel, the XSS payload will execute immediately.

Generated by OpenCVE AI on March 17, 2026 at 15:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Happy Addons for Elementor to version 3.22.0 or later.
  • If an immediate upgrade is not possible, restrict Contributor permissions or convert those users to a lower role that cannot edit posts.
  • Consider disabling or restricting access to the vulnerable AJAX actions "ha_condition_update" and "ha_get_current_condition" by using a firewall or plugin security tool.
  • Check the site for any injected JavaScript or malicious content and remove it.
  • Verify that other sites’ plugins and themes are up to date and free from similar authorization or XSS flaws.

Generated by OpenCVE AI on March 17, 2026 at 15:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Thehappymonster
Thehappymonster happy Addons For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Thehappymonster
Thehappymonster happy Addons For Elementor
Wordpress
Wordpress wordpress

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 08:00:00 +0000

Type Values Removed Values Added
Description The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is due to the `validate_reqeust()` method using `current_user_can('edit_posts', $template_id)` instead of `current_user_can('edit_post', $template_id)` — failing to perform object-level authorization. Additionally, the `ha_get_current_condition` AJAX action lacks a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify the display conditions of any published `ha_library` template. Because the `cond_to_html()` renderer outputs condition values into HTML attributes without proper escaping (using string concatenation instead of `esc_attr()`), an attacker can inject event handler attributes (e.g., `onmouseover`) that execute JavaScript when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting.
Title Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Stored Cross-Site Scripting via Template Conditions
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Thehappymonster Happy Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-11T13:46:42.006Z

Reserved: 2026-02-20T21:49:53.519Z

Link: CVE-2026-2918

cve-icon Vulnrichment

Updated: 2026-03-11T13:46:36.534Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T08:16:03.567

Modified: 2026-03-11T13:52:47.683

Link: CVE-2026-2918

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:39Z

Weaknesses