cleantalk
Vulnerabilities and Security Researches

Happy Addons for Elementor, CVE-2026-2918

CVE, Research URL

CVE-2026-2918

Home page URL

Security reports for Happy Addons for Elementor

Application

Happy Addons for Elementor

Published on
Mar 11, 2026
Research Description
The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is due to the `validate_reqeust()` method using `current_user_can('edit_posts', $template_id)` instead of `current_user_can('edit_post', $template_id)` — failing to perform object-level authorization. Additionally, the `ha_get_current_condition` AJAX action lacks a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify the display conditions of any published `ha_library` template. Because the `cond_to_html()` renderer outputs condition values into HTML attributes without proper escaping (using string concatenation instead of `esc_attr()`), an attacker can inject event handler attributes (e.g., `onmouseover`) that execute JavaScript when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting.
Affected versions
max 3.21.1.
Status
vulnerable
Previous vulnerability researches
Happy Addons for Elementor (CVE-2025-68999) , Feb 27, 2026
Happy Addons for Elementor (CVE-2025-30766) , Apr 02, 2025
Happy Addons for Elementor (CVE-2024-5647) , Apr 13, 2026
Happy Addons for Elementor (CVE-2024-10538) , Nov 14, 2024
Happy Addons for Elementor (CVE-2024-12852) , Jan 09, 2025
New vulnerability
Customer Reviews for WooCommerce (CVE-2026-1316) , Apr 15, 2026
WP Recipe Maker (CVE-2026-1558) , Apr 15, 2026
Page and Post Clone (CVE-2026-2893) , Apr 15, 2026
Greenshift – animation and page builder blocks (CVE-2026-2589) , Apr 15, 2026
Greenshift – animation and page builder blocks (CVE-2026-1927) , Apr 15, 2026