CVE-2026-2917 affects Happy Addons for Elementor and it is an authenticated Contributor level insecure direct object reference in the Happy Clone post duplication flow. The vulnerable admin action accepts a user supplied post_id and checks only the broad edit_posts capability, which lets an attacker clone other users' published objects into a draft that they own. When the source object contains Elementor metadata or widget configuration, the copied draft can expose sensitive settings and create content integrity risk.

CVECVE-2026-2917
Plugin VersionHappy Addons for Elementor <= 3.21.0, fixed in 3.21.1
All Time13 510 641
Active installations400 000+
Publicly PublishedMarch 10, 2026
Last UpdatedMarch 11, 2026
ResearcherDmitrii Ignatyev
PoCYes
ExploitNo
Referencehttps://www.cve.org/CVERecord?id=CVE-2026-2917
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/happy-elementor-addons/happy-addons-for-elementor-3210-insecure-direct-object-reference-to-authenticated-contributor-post-duplication-via-post-id-parameter
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

PSC by Cleantalk

Timeline

February 16, 2026Plugin testing and vulnerability detection in Happy Addons for Elementor have been completed
February 20, 2026I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
March 10, 2026Registered CVE-2026-2917

Discovery of the Vulnerability

The vulnerable surface is the Happy Clone admin action at wp-admin/admin.php?action=ha_duplicate_thing. The request uses post_id to select the source object and a generic _wpnonce tied to ha_duplicate_thing. The authorization check in can_clone() verifies current_user_can('edit_posts'), but it does not verify current_user_can('edit_post', $post_id) or an equivalent post type specific capability for the selected object.

The clone operation copies the source title, content, metadata and related object data into a new draft owned by the current user. In real Elementor workflows, metadata may include widget configuration, integration options or third party tokens stored by widgets such as Mailchimp. This makes the bug both an access control issue and a data exposure issue.

Understanding of IDOR attacks

An IDOR appears when code trusts an object identifier from the request without checking whether the current user may act on that object. In WordPress, capability checks often need both a general role gate and an object scoped check. edit_posts only says that the account can edit some posts. It does not prove access to the post, page, template or custom post type referenced by post_id.

Nonce checks do not replace authorization. A nonce can confirm that a request came from a valid screen or action, but if it is generic and reusable across object IDs, changing the identifier can cross ownership or post type boundaries.

Exploiting the IDOR Vulnerability

An attacker needs an authenticated Contributor level account and a valid clone nonce from an object they can edit. After that, the attacker changes the post_id value in the Happy Clone request to target another object.

POC:

POC:
1. Log in as a Contributor or another role with edit_posts.
2. Create a new Post.
3. Open /wordpress/wp-admin/edit.php?post_type=post.
4. Click Happy Clone for a post the account can edit and copy the generated _wpnonce.
5. Reuse the same request while replacing post_id with the ID of another object in the WordPress installation.

GET /wordpress/wp-admin/admin.php?action=ha_duplicate_thing&post_id=381&ref=list&_wpnonce=nonce_from_clone_link HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0
Accept: text/html
Referer: http://127.0.0.1/wordpress/wp-admin/edit.php
Connection: keep-alive

Expected result:
A new draft clone is created under the attacker's account, even when the source object is not editable by that account.

____

The result is a draft copy created under the attacker’s account. The source object remains published, but its content and metadata become readable through the attacker’s draft editor.

Recommendations for Improved Security

Site owners should update Happy Addons for Elementor to version 3.21.1 or later. If an immediate update is not possible, restrict Contributor access and review new drafts for unexpected cloned pages or templates.

Developers should pair nonce validation with object level capability checks. The clone handler should verify current_user_can('edit_post', $post_id) or the matching post type capability before reading or copying the source object, and the nonce should be scoped as tightly as practical to the operation and target object.

By taking proactive measures to address IDOR like CVE-2026-2917, WordPress website owners can reduce the risk created by broad capability checks and protect private page data from unintended cloning. Stay vigilant, stay secure.

#WordPressSecurity #IDOR #AccessControl #WebsiteSafety #StayProtected #MediumVulnerability

Use CleanTalk solutions to improve the security of your website

CVE-2026-2917 – Happy Addons – IDOR allows unauthorized cloning of content and sensitive widget metadata – POC

Dmitrii I

Pentester with 5 years of hands-on experience securing WordPress and web applications, holding OSWE, OSEP, OSCP, and OSWP certifications. Author of 450 published CVEs, including 35 disclosed within the last month. Specializes in discovering and validating high-impact vulnerabilities in WordPress plugins/themes / Custom WEB applications and delivering actionable remediation guidance to harden production sites.

Visit Author's Website

See all posts by dmitrii-ignatyev