CVE-2026-2917
Received Received - Intake
Insecure Direct Object Reference in Happy Addons for Elementor Plugin

Publication date: 2026-03-11

Last updated on: 2026-03-11

Assigner: Wordfence

Description
The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_duplicate_thing` admin action handler. This is due to the `can_clone()` method only checking `current_user_can('edit_posts')` (a general capability) without performing object-level authorization such as `current_user_can('edit_post', $post_id)`, and the nonce being tied to the generic action name `ha_duplicate_thing` rather than to a specific post ID. This makes it possible for authenticated attackers, with Contributor-level access and above, to clone any published post, page, or custom post type by obtaining a valid clone nonce from their own posts and changing the `post_id` parameter to target other users' content. The clone operation copies the full post content, all post metadata (including potentially sensitive widget configurations and API tokens), and taxonomies into a new draft owned by the attacker.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2917
EUVD
EUVD-2026-11119
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpbeaveraddons happy_elementor_addons to 3.21.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Happy Addons for Elementor WordPress plugin (up to version 3.21.0) is an Insecure Direct Object Reference (IDOR) issue in the admin action handler `ha_duplicate_thing`. It arises because the permission check only verifies if a user has the general capability to edit posts (`edit_posts`) without verifying if the user is authorized to edit the specific post (`edit_post` with the post ID). Additionally, the security nonce used is tied to the generic action rather than a specific post.

This flaw allows authenticated users with Contributor-level access or higher to clone any published post, page, or custom post type by obtaining a valid clone nonce from their own posts and modifying the `post_id` parameter to target other users' content. The cloning operation copies the entire post content, all metadata (which may include sensitive widget configurations and API tokens), and taxonomies into a new draft owned by the attacker.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users with relatively low privileges (Contributor-level or above) to duplicate any published content on your WordPress site, including posts, pages, or custom post types.

The cloned content includes all post data, metadata, and taxonomies, which may expose sensitive information such as widget configurations and API tokens. Attackers can create drafts of this content under their own user account, potentially leading to data leakage, unauthorized content replication, and misuse of sensitive configuration data.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized cloning of WordPress posts via the `ha_duplicate_thing` admin action handler in the Happy Addons for Elementor plugin. Detection can focus on monitoring HTTP requests to the WordPress admin area that invoke this action with suspicious parameters.'}, {'type': 'list_item', 'content': 'Look for HTTP POST or GET requests containing the parameter `action=ha_duplicate_thing`.'}, {'type': 'list_item', 'content': 'Check for requests where the `post_id` parameter is changed to target posts not owned by the authenticated user.'}, {'type': 'list_item', 'content': 'Monitor for clone nonce reuse or anomalies, since the nonce is tied to a generic action rather than specific post IDs.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect such activity on a server with access logs:'}, {'type': 'list_item', 'content': "Using grep to find requests invoking the clone action in Apache or Nginx logs: `grep 'action=ha_duplicate_thing' /var/log/apache2/access.log`"}, {'type': 'list_item', 'content': "Using grep with post_id parameter to identify suspicious cloning attempts: `grep 'post_id=' /var/log/apache2/access.log | grep 'action=ha_duplicate_thing'`"}, {'type': 'list_item', 'content': 'On WordPress, audit user activity logs or enable logging plugins to track cloning actions performed by users with Contributor-level access or above.'}] [2, 4]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps focus on preventing unauthorized cloning of posts by restricting access and updating the plugin.'}, {'type': 'list_item', 'content': 'Update the Happy Addons for Elementor plugin to a version later than 3.21.0 where the vulnerability is fixed.'}, {'type': 'list_item', 'content': 'Temporarily restrict Contributor-level and above users from accessing cloning functionality by disabling or removing the clone action handler if possible.'}, {'type': 'list_item', 'content': "Implement additional access controls or custom code to enforce object-level authorization checks such as `current_user_can('edit_post', $post_id)`."}, {'type': 'list_item', 'content': 'Monitor and audit user activities related to cloning posts to detect and respond to suspicious behavior.'}, {'type': 'list_item', 'content': 'Consider applying Web Application Firewall (WAF) rules to block or alert on requests with `action=ha_duplicate_thing` and suspicious `post_id` parameters.'}] [2, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2917. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart