- Published on
-
Mar 11, 2026
- Research Description
-
The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_duplicate_thing` admin action handler. This is due to the `can_clone()` method only checking `current_user_can('edit_posts')` (a general capability) without performing object-level authorization such as `current_user_can('edit_post', $post_id)`, and the nonce being tied to the generic action name `ha_duplicate_thing` rather than to a specific post ID. This makes it possible for authenticated attackers, with Contributor-level access and above, to clone any published post, page, or custom post type by obtaining a valid clone nonce from their own posts and changing the `post_id` parameter to target other users' content. The clone operation copies the full post content, all post metadata (including potentially sensitive widget configurations and API tokens), and taxonomies into a new draft owned by the attacker.
- Affected versions
-
max 3.21.1.
Plugin Security Certification
Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Get Plugin Security Certificate
| New vulnerability |
|
Zarinpal Gateway
(CVE-2026-2592)
, Apr 15, 2026
|
|
Twitter posts to Blog
(CVE-2026-1786)
, Apr 15, 2026
|
|
Simple Download Monitor
(CVE-2026-2383)
, Apr 15, 2026
|
|
Blog2Social: Social Media Auto Post & Scheduler
(CVE-2026-1942)
, Apr 15, 2026
|
|
WP Content Permission
(CVE-2026-0743)
, Apr 15, 2026
|