CVE-2026-2917
Insecure Direct Object Reference in Happy Addons for Elementor Plugin
Publication date: 2026-03-11
Last updated on: 2026-03-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpbeaveraddons | happy_elementor_addons | to 3.21.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Happy Addons for Elementor WordPress plugin (up to version 3.21.0) is an Insecure Direct Object Reference (IDOR) issue in the admin action handler `ha_duplicate_thing`. It arises because the permission check only verifies if a user has the general capability to edit posts (`edit_posts`) without verifying if the user is authorized to edit the specific post (`edit_post` with the post ID). Additionally, the security nonce used is tied to the generic action rather than a specific post.
This flaw allows authenticated users with Contributor-level access or higher to clone any published post, page, or custom post type by obtaining a valid clone nonce from their own posts and modifying the `post_id` parameter to target other users' content. The cloning operation copies the entire post content, all metadata (which may include sensitive widget configurations and API tokens), and taxonomies into a new draft owned by the attacker.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users with relatively low privileges (Contributor-level or above) to duplicate any published content on your WordPress site, including posts, pages, or custom post types.
The cloned content includes all post data, metadata, and taxonomies, which may expose sensitive information such as widget configurations and API tokens. Attackers can create drafts of this content under their own user account, potentially leading to data leakage, unauthorized content replication, and misuse of sensitive configuration data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized cloning of WordPress posts via the `ha_duplicate_thing` admin action handler in the Happy Addons for Elementor plugin. Detection can focus on monitoring HTTP requests to the WordPress admin area that invoke this action with suspicious parameters.'}, {'type': 'list_item', 'content': 'Look for HTTP POST or GET requests containing the parameter `action=ha_duplicate_thing`.'}, {'type': 'list_item', 'content': 'Check for requests where the `post_id` parameter is changed to target posts not owned by the authenticated user.'}, {'type': 'list_item', 'content': 'Monitor for clone nonce reuse or anomalies, since the nonce is tied to a generic action rather than specific post IDs.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect such activity on a server with access logs:'}, {'type': 'list_item', 'content': "Using grep to find requests invoking the clone action in Apache or Nginx logs: `grep 'action=ha_duplicate_thing' /var/log/apache2/access.log`"}, {'type': 'list_item', 'content': "Using grep with post_id parameter to identify suspicious cloning attempts: `grep 'post_id=' /var/log/apache2/access.log | grep 'action=ha_duplicate_thing'`"}, {'type': 'list_item', 'content': 'On WordPress, audit user activity logs or enable logging plugins to track cloning actions performed by users with Contributor-level access or above.'}] [2, 4]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps focus on preventing unauthorized cloning of posts by restricting access and updating the plugin.'}, {'type': 'list_item', 'content': 'Update the Happy Addons for Elementor plugin to a version later than 3.21.0 where the vulnerability is fixed.'}, {'type': 'list_item', 'content': 'Temporarily restrict Contributor-level and above users from accessing cloning functionality by disabling or removing the clone action handler if possible.'}, {'type': 'list_item', 'content': "Implement additional access controls or custom code to enforce object-level authorization checks such as `current_user_can('edit_post', $post_id)`."}, {'type': 'list_item', 'content': 'Monitor and audit user activities related to cloning posts to detect and respond to suspicious behavior.'}, {'type': 'list_item', 'content': 'Consider applying Web Application Firewall (WAF) rules to block or alert on requests with `action=ha_duplicate_thing` and suspicious `post_id` parameters.'}] [2, 4]