CVE-2026-1210
Stored XSS in Happy Addons for Elementor Plugin Allows Script Injection
Publication date: 2026-02-03
Last updated on: 2026-02-03
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| happy_addons | happy_elementor_addons | to 3.20.7 (inc) |
| happy_addons | happy_elementor_addons | 3.20.4 |
| happy_addons | happy_elementor_addons | 3.20.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1210 is a Stored Cross-Site Scripting (XSS) vulnerability in the Happy Addons for Elementor WordPress plugin, specifically in the 'SVG Draw' widget. The vulnerability arises because the plugin allows authenticated users with Contributor-level access or higher to input custom SVG code via a textarea control without sufficient sanitization and output escaping. This improper handling of SVG input enables attackers to inject arbitrary web scripts that execute whenever any user accesses the injected page. The issue is due to conditional rendering of SVG content where users with 'unfiltered_html' capability can have their raw SVG code output directly without sanitization, leading to potential XSS attacks. [2, 4]
How can this vulnerability impact me? :
This vulnerability can allow authenticated attackers with Contributor-level access or higher to inject malicious scripts into pages via the SVG Draw widget. These scripts execute in the context of any user viewing the affected pages, potentially leading to theft of user credentials, session hijacking, defacement, or other malicious actions. Because the vulnerability is a Stored XSS, the malicious code persists on the site and affects all visitors to the compromised pages, increasing the risk and impact. [2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the Happy Addons for Elementor plugin version 3.20.7 or earlier is installed and if the '_elementor_data' meta field is being used to store SVG code that could be exploited. Since the vulnerability is a Stored Cross-Site Scripting (XSS) via insufficient sanitization of SVG input, you can look for suspicious SVG code injections in the database or monitor HTTP requests that include SVG payloads. Specific commands could include searching the WordPress database for the '_elementor_data' meta field containing suspicious SVG or script tags. For example, using MySQL commands to query the wp_postmeta table: ```sql SELECT * FROM wp_postmeta WHERE meta_key = '_elementor_data' AND meta_value LIKE '%<script%'; ``` or searching for suspicious SVG elements: ```sql SELECT * FROM wp_postmeta WHERE meta_key = '_elementor_data' AND meta_value LIKE '%<svg%'; ``` Additionally, monitoring web server logs for unusual requests containing SVG or script payloads targeting pages using this plugin can help detect exploitation attempts. There are no specific command-line tools or signatures provided in the resources, but focusing on these database queries and log inspections is recommended. [2, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Update the Happy Addons for Elementor plugin to a version later than 3.20.7 where the vulnerability is fixed. 2. If an update is not immediately available, restrict Contributor-level and above users from injecting SVG code or disable the SVG Draw widget functionality temporarily. 3. Review and sanitize any existing '_elementor_data' meta field entries that may contain malicious SVG or script content. 4. Limit user capabilities to prevent users with 'unfiltered_html' privileges from injecting raw SVG code, as the vulnerability exploits this capability. 5. Monitor and audit user inputs and plugin usage to detect and prevent exploitation. These steps reduce the risk of stored XSS attacks by addressing the root cause of insufficient input sanitization and output escaping in the plugin. [2, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-1210 in the Happy Addons for Elementor plugin allows authenticated users with Contributor-level access and above to inject arbitrary web scripts via stored cross-site scripting (XSS). This can lead to execution of malicious scripts when other users access the injected pages.
Such XSS vulnerabilities can compromise the confidentiality and integrity of user data, potentially exposing personal information or session tokens. This exposure can impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access or disclosure.
Specifically, if an attacker exploits this vulnerability to steal personal data or credentials, it could result in a breach of protected health information (PHI) under HIPAA or personal data under GDPR, triggering legal and regulatory consequences for the affected organization.
Therefore, the presence of this vulnerability increases the risk of non-compliance with common standards and regulations that mandate secure handling and protection of user data.