CVE-2026-2917 affects Happy Addons for Elementor and it is an authenticated Contributor level insecure direct object reference in the Happy Clone post duplication flow. The vulnerable admin action accepts a user supplied post_id and checks only the broad edit_posts capability, which lets an attacker clone other users' published objects into a draft that they own. When the source object contains Elementor metadata or widget configuration, the copied draft can expose sensitive settings and create content integrity risk.
| CVE | CVE-2026-2917 |
| Plugin Version | Happy Addons for Elementor <= 3.21.0, fixed in 3.21.1 |
| All Time | 13 510 641 |
| Active installations | 400 000+ |
| Publicly Published | March 10, 2026 |
| Last Updated | March 11, 2026 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://www.cve.org/CVERecord?id=CVE-2026-2917 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/happy-elementor-addons/happy-addons-for-elementor-3210-insecure-direct-object-reference-to-authenticated-contributor-post-duplication-via-post-id-parameter |
| Plugin Security Certification by CleanTalk | ![]() |
| Logo of the plugin |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| February 16, 2026 | Plugin testing and vulnerability detection in Happy Addons for Elementor have been completed |
| February 20, 2026 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 10, 2026 | Registered CVE-2026-2917 |
Discovery of the Vulnerability
The vulnerable surface is the Happy Clone admin action at wp-admin/admin.php?action=ha_duplicate_thing. The request uses post_id to select the source object and a generic _wpnonce tied to ha_duplicate_thing. The authorization check in can_clone() verifies current_user_can('edit_posts'), but it does not verify current_user_can('edit_post', $post_id) or an equivalent post type specific capability for the selected object.
The clone operation copies the source title, content, metadata and related object data into a new draft owned by the current user. In real Elementor workflows, metadata may include widget configuration, integration options or third party tokens stored by widgets such as Mailchimp. This makes the bug both an access control issue and a data exposure issue.
Understanding of IDOR attacks
An IDOR appears when code trusts an object identifier from the request without checking whether the current user may act on that object. In WordPress, capability checks often need both a general role gate and an object scoped check. edit_posts only says that the account can edit some posts. It does not prove access to the post, page, template or custom post type referenced by post_id.
Nonce checks do not replace authorization. A nonce can confirm that a request came from a valid screen or action, but if it is generic and reusable across object IDs, changing the identifier can cross ownership or post type boundaries.
Exploiting the IDOR Vulnerability
An attacker needs an authenticated Contributor level account and a valid clone nonce from an object they can edit. After that, the attacker changes the post_id value in the Happy Clone request to target another object.
POC:
POC: 1. Log in as a Contributor or another role with edit_posts. 2. Create a new Post. 3. Open /wordpress/wp-admin/edit.php?post_type=post. 4. Click Happy Clone for a post the account can edit and copy the generated _wpnonce. 5. Reuse the same request while replacing post_id with the ID of another object in the WordPress installation. GET /wordpress/wp-admin/admin.php?action=ha_duplicate_thing&post_id=381&ref=list&_wpnonce=nonce_from_clone_link HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Accept: text/html Referer: http://127.0.0.1/wordpress/wp-admin/edit.php Connection: keep-alive Expected result: A new draft clone is created under the attacker's account, even when the source object is not editable by that account.____
The result is a draft copy created under the attacker’s account. The source object remains published, but its content and metadata become readable through the attacker’s draft editor.
Recommendations for Improved Security
Site owners should update Happy Addons for Elementor to version 3.21.1 or later. If an immediate update is not possible, restrict Contributor access and review new drafts for unexpected cloned pages or templates.
Developers should pair nonce validation with object level capability checks. The clone handler should verify current_user_can('edit_post', $post_id) or the matching post type capability before reading or copying the source object, and the nonce should be scoped as tightly as practical to the operation and target object.
By taking proactive measures to address IDOR like CVE-2026-2917, WordPress website owners can reduce the risk created by broad capability checks and protect private page data from unintended cloning. Stay vigilant, stay secure.
#WordPressSecurity #IDOR #AccessControl #WebsiteSafety #StayProtected #MediumVulnerability
Use CleanTalk solutions to improve the security of your website
