- Published on
-
Mar 11, 2026
- Research Description
-
The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is due to the `validate_reqeust()` method using `current_user_can('edit_posts', $template_id)` instead of `current_user_can('edit_post', $template_id)` — failing to perform object-level authorization. Additionally, the `ha_get_current_condition` AJAX action lacks a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify the display conditions of any published `ha_library` template. Because the `cond_to_html()` renderer outputs condition values into HTML attributes without proper escaping (using string concatenation instead of `esc_attr()`), an attacker can inject event handler attributes (e.g., `onmouseover`) that execute JavaScript when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting.
- Affected versions
-
max 3.21.1.
Plugin Security Certification
Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Get Plugin Security Certificate
| New vulnerability |
|
Zarinpal Gateway
(CVE-2026-2592)
, Apr 15, 2026
|
|
Twitter posts to Blog
(CVE-2026-1786)
, Apr 15, 2026
|
|
Simple Download Monitor
(CVE-2026-2383)
, Apr 15, 2026
|
|
Blog2Social: Social Media Auto Post & Scheduler
(CVE-2026-1942)
, Apr 15, 2026
|
|
WP Content Permission
(CVE-2026-0743)
, Apr 15, 2026
|