Vulnerabilities and security researches forhappy-elementor-addons happy-elementor-addons

Direction: ascending

Jun 07, 2024

Happy Addons for Elementor # CVE-2021-24292

CVE, Research URL: CVE-2021-24292
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: May 17, 2021
Research Description: The Happy Addons for Elementor WordPress plugin before 2.24.0, Happy Addons Pro for Elementor WordPress plugin before 1.17.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting(XSS) by lower-privileged users such as contributors, all via a similar method: The “Card” widget accepts a “title_tag” parameter. Although the element control lists a fixed set of possible html tags, it is possible to send a ‘save_builder’ request with the “heading_tag” set to “script”, and the actual “title” parameter set to JavaScript to be executed within the script tags added by the “heading_tag” parameter.
Affected versions: max 3.8.0.
Status: vulnerable

Happy Addons for Elementor # CVE-2024-24833

CVE, Research URL: CVE-2024-24833
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: May 08, 2024
Research Description: Missing Authorization vulnerability in Leevio Happy Addons for Elementor.This issue affects Happy Addons for Elementor: from n/a through 3.10.1.
Affected versions: max 3.10.2.
Status: vulnerable

Happy Addons for Elementor # CVE-2023-6632

CVE, Research URL: CVE-2023-6632
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Jan 11, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via DOM in all versions up to and including 3.9.1.1 (versions up to 2.9.1.1 in Happy Addons for Elementor Pro) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: max 3.10.1.
Status: vulnerable

Happy Addons for Elementor # CVE-2024-2789

CVE, Research URL: CVE-2024-2789
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Apr 10, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Calendy widget in all versions up to, and including, 3.10.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.10.5.
Status: vulnerable

Happy Addons for Elementor # CVE-2024-2786

CVE, Research URL: CVE-2024-2786
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Apr 10, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 3.10.4 due to insufficient input sanitization and output escaping on the title_tag attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.10.4.
Status: vulnerable

Happy Addons for Elementor # CVE-2024-2788

CVE, Research URL: CVE-2024-2788
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Apr 10, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Title HTML Tag in all versions up to, and including, 3.10.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.10.5.
Status: vulnerable

Happy Addons for Elementor # CVE-2024-1498

CVE, Research URL: CVE-2024-1498
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Apr 10, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Photo Stack Widget in all versions up to, and including, 3.10.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.10.4.
Status: vulnerable

Happy Addons for Elementor # CVE-2024-3724

CVE, Research URL: CVE-2024-3724
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: May 02, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Stack Group, Photo Stack, & Horizontal Timeline widgets in all versions up to, and including, 3.10.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.10.5.
Status: vulnerable

Happy Addons for Elementor # CVE-2024-1387

CVE, Research URL: CVE-2024-1387
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Apr 10, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to insufficient authorization on the duplicate_thing() function in all versions up to, and including, 3.10.4. This makes it possible for attackers, with contributor-level access and above, to clone arbitrary posts (including private and password protected ones) which may lead to information exposure.
Affected versions: max 3.10.5.
Status: vulnerable

Happy Addons for Elementor # CVE-2024-1377

CVE, Research URL: CVE-2024-1377
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Mar 07, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘author_meta_tag’ attribute of the Author Meta widget in all versions up to, and including, 3.10.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.10.4.
Status: vulnerable

Happy Addons for Elementor # CVE-2024-4391

CVE, Research URL: CVE-2024-4391
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: May 16, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Event Calendar widget in all versions up to, and including, 3.10.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.10.8.
Status: vulnerable

Happy Addons for Elementor # CVE-2024-5041

CVE, Research URL: CVE-2024-5041
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: May 31, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ha-ia-content-button’ parameter in all versions up to, and including, 3.10.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.11.0.
Status: vulnerable

Happy Addons for Elementor # CVE-2024-3890

CVE, Research URL: CVE-2024-3890
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Apr 26, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Calendly widget in all versions up to, and including, 3.10.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.10.7.
Status: vulnerable

Happy Addons for Elementor # CVE-2023-28989

CVE, Research URL: CVE-2023-28989
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Jul 10, 2023
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in weDevs Happy Addons for Elementor plugin <= 3.8.2 versions.
Affected versions: max 3.8.3.
Status: vulnerable

Happy Addons for Elementor # CVE-2024-29108

CVE, Research URL: CVE-2024-29108
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Mar 19, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Leevio Happy Addons for Elementor allows Stored XSS.This issue affects Happy Addons for Elementor: from n/a through 3.10.1.
Affected versions: max 3.10.2.
Status: vulnerable

Happy Addons for Elementor # CVE-2024-0438

CVE, Research URL: CVE-2024-0438
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Feb 29, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wrapper link parameter in the Age Gate in all versions up to, and including, 3.10.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.10.2.
Status: vulnerable

Happy Addons for Elementor # CVE-2023-51676

CVE, Research URL: CVE-2023-51676
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Dec 29, 2023
Research Description: Server-Side Request Forgery (SSRF) vulnerability in Leevio Happy Addons for Elementor.This issue affects Happy Addons for Elementor: from n/a through 3.9.1.1.
Affected versions: max 3.10.0.
Status: vulnerable

Happy Addons for Elementor # CVE-2024-1366

CVE, Research URL: CVE-2024-1366
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Mar 07, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘archive_title_tag’ attribute of the Archive Title widget in all versions up to, and including, 3.10.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.10.4.
Status: vulnerable

Happy Addons for Elementor # CVE-2024-4865

CVE, Research URL: CVE-2024-4865
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: May 18, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_id’ parameter in all versions up to, and including, 3.10.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.10.9.
Status: vulnerable

Happy Addons for Elementor # CVE-2024-0838

CVE, Research URL: CVE-2024-0838
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Feb 29, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the side image URL parameter in the Age Gate in all versions up to, and including, 3.10.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.10.2.
Status: vulnerable

Happy Addons for Elementor # CVE-2024-5347

CVE, Research URL: CVE-2024-5347
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: May 31, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'arrow' attribute within the plugin's Post Navigation widget in all versions up to, and including, 3.10.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.11.0.
Status: vulnerable

Happy Addons for Elementor # CVE-2024-3891

CVE, Research URL: CVE-2024-3891
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: May 02, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML tags in widgets in all versions up to, and including, 3.10.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.10.6.
Status: vulnerable

Happy Addons for Elementor # CVE-2024-32698

CVE, Research URL: CVE-2024-32698
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Apr 22, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Leevio Happy Addons for Elementor allows Stored XSS.This issue affects Happy Addons for Elementor: from n/a through 3.10.4.
Affected versions: max 3.10.5.
Status: vulnerable

Happy Addons for Elementor # CVE-2024-4478

CVE, Research URL: CVE-2024-4478
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: May 16, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Stack Group widget in all versions up to, and including, 3.10.7 due to insufficient input sanitization and output escaping on user supplied 'tooltip_position' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.10.8.
Status: vulnerable

Happy Addons for Elementor # CVE-2024-5088

CVE, Research URL: CVE-2024-5088
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: May 18, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_id’ parameter in all versions up to, and including, 3.10.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.10.9.
Status: vulnerable

Happy Addons for Elementor # CVE-2024-2787

CVE, Research URL: CVE-2024-2787
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Apr 10, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Page Title HTML Tag in all versions up to, and including, 3.10.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.10.5.
Status: vulnerable

Jun 30, 2024

Happy Addons for Elementor # CVE-2024-5790

CVE, Research URL: CVE-2024-5790
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Jun 29, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ attribute within the plugin's Gradient Heading widget in all versions up to, and including, 3.11.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.10.1.
Status: vulnerable

Jul 27, 2024

Happy Addons for Elementor # CVE-2024-6627

CVE, Research URL: CVE-2024-6627
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Jul 27, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's PDF View widget in all versions up to, and including, 3.11.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.11.3.
Status: vulnerable

Sep 24, 2024

Happy Addons for Elementor # CVE-2024-8801

CVE, Research URL: CVE-2024-8801
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Sep 25, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.2 via the Content Switcher widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including private, draft, and pending Elementor templates.
Affected versions: max 3.12.3.
Status: vulnerable

Oct 03, 2024

Happy Addons for Elementor # CVE-2024-47357

CVE, Research URL: CVE-2024-47357
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Oct 06, 2024
Research Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Leevio Happy Addons for Elementor allows Stored XSS.This issue affects Happy Addons for Elementor: from n/a through 3.12.0.
Affected versions: max 3.12.1.
Status: vulnerable

Oct 16, 2024

Happy Addons for Elementor # CVE-2024-48045

CVE, Research URL: CVE-2024-48045
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Nov 01, 2024
Research Description: Missing Authorization vulnerability in Leevio Happy Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Happy Addons for Elementor: from n/a through 3.12.3.
Affected versions: max 3.12.4.
Status: vulnerable

Nov 14, 2024

Happy Addons for Elementor # CVE-2024-10538

CVE, Research URL: CVE-2024-10538
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Nov 12, 2024
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the before_label parameter in the Image Comparison widget in all versions up to, and including, 3.12.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.12.6.
Status: vulnerable

Jan 09, 2025

Happy Addons for Elementor # CVE-2024-12852

CVE, Research URL: CVE-2024-12852
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Jan 08, 2025
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ha_cmc_text' parameter of the Happy Mouse Cursor in all versions up to, and including, 3.15.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.15.2.
Status: vulnerable

Apr 02, 2025

Happy Addons for Elementor # CVE-2025-30766

CVE, Research URL: CVE-2025-30766
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Mar 27, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HappyMonster Happy Addons for Elementor allows DOM-Based XSS. This issue affects Happy Addons for Elementor: from n/a through 3.16.2.
Affected versions: max 3.16.3.
Status: vulnerable

Jan 10, 2026

Happy Addons for Elementor # CVE-2025-63077

CVE, Research URL: CVE-2025-63077
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Dec 09, 2025
Research Description: Missing Authorization vulnerability in HappyMonster Happy Addons for Elementor happy-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Happy Addons for Elementor: from n/a through <= 3.20.2.
Affected versions: max 3.20.2.
Status: vulnerable

Feb 27, 2026

Happy Addons for Elementor # CVE-2025-68999

CVE, Research URL: CVE-2025-68999
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Jan 22, 2026
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in HappyMonster Happy Addons for Elementor happy-elementor-addons allows Blind SQL Injection.This issue affects Happy Addons for Elementor: from n/a through <= 3.20.4.
Affected versions: max 3.20.4.
Status: vulnerable

Apr 13, 2026

Happy Addons for Elementor # CVE-2024-5647

CVE, Research URL: CVE-2024-5647
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Jul 03, 2025
Research Description: Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Magnific Popups library (version 1.1.0) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was fixed in the upstream library (Magnific Popups version 1.2.0) by disabling the loading of HTML within certain fields by default.
Affected versions: max 3.12.3.
Status: vulnerable

Apr 15, 2026

Happy Addons for Elementor # CVE-2026-2918

CVE, Research URL: CVE-2026-2918
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Mar 11, 2026
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is due to the `validate_reqeust()` method using `current_user_can('edit_posts', $template_id)` instead of `current_user_can('edit_post', $template_id)` — failing to perform object-level authorization. Additionally, the `ha_get_current_condition` AJAX action lacks a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify the display conditions of any published `ha_library` template. Because the `cond_to_html()` renderer outputs condition values into HTML attributes without proper escaping (using string concatenation instead of `esc_attr()`), an attacker can inject event handler attributes (e.g., `onmouseover`) that execute JavaScript when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting.
Affected versions: max 3.21.1.
Status: vulnerable

Happy Addons for Elementor # CVE-2026-1210

CVE, Research URL: CVE-2026-1210
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Feb 03, 2026
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_elementor_data' meta field in all versions up to, and including, 3.20.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.20.8.
Status: vulnerable

Happy Addons for Elementor # CVE-2026-2917

CVE, Research URL: CVE-2026-2917
Home page URL: Security reports for Happy Addons for Elementor
Application: Happy Addons for Elementor
Date: Mar 11, 2026
Research Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_duplicate_thing` admin action handler. This is due to the `can_clone()` method only checking `current_user_can('edit_posts')` (a general capability) without performing object-level authorization such as `current_user_can('edit_post', $post_id)`, and the nonce being tied to the generic action name `ha_duplicate_thing` rather than to a specific post ID. This makes it possible for authenticated attackers, with Contributor-level access and above, to clone any published post, page, or custom post type by obtaining a valid clone nonce from their own posts and changing the `post_id` parameter to target other users' content. The clone operation copies the full post content, all post metadata (including potentially sensitive widget configurations and API tokens), and taxonomies into a new draft owned by the attacker.
Affected versions: max 3.21.1.
Status: vulnerable