CVE-2026-2918
Received Received - Intake
IDOR and Stored XSS in Happy Addons for Elementor Plugin

Publication date: 2026-03-11

Last updated on: 2026-03-11

Assigner: Wordfence

Description
The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is due to the `validate_reqeust()` method using `current_user_can('edit_posts', $template_id)` instead of `current_user_can('edit_post', $template_id)` β€” failing to perform object-level authorization. Additionally, the `ha_get_current_condition` AJAX action lacks a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify the display conditions of any published `ha_library` template. Because the `cond_to_html()` renderer outputs condition values into HTML attributes without proper escaping (using string concatenation instead of `esc_attr()`), an attacker can inject event handler attributes (e.g., `onmouseover`) that execute JavaScript when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2918
EUVD
EUVD-2026-11121
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
happy_addons happy_elementor_addons to 3.21.0 (inc)
happy_addons happy_elementor_addons 3.20.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2918 is a vulnerability in the Happy Addons for Elementor WordPress plugin, affecting all versions up to and including 3.21.0. It involves an Insecure Direct Object Reference (IDOR) due to improper authorization checks in AJAX actions related to updating and retrieving template display conditions.

Specifically, the method `validate_reqeust()` incorrectly uses `current_user_can('edit_posts', $template_id)` instead of the more precise `current_user_can('edit_post', $template_id)`, failing to enforce object-level permissions. Additionally, the `ha_get_current_condition` AJAX action lacks any capability check.

This allows authenticated users with Contributor-level access or higher to modify the display conditions of any published `ha_library` template. Furthermore, because the renderer outputs condition values into HTML attributes without proper escaping, an attacker can inject malicious JavaScript event handlers (e.g., `onmouseover`) that execute when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting (XSS).

Impact Analysis

This vulnerability can impact you by allowing authenticated users with relatively low privileges (Contributor-level and above) to modify the display conditions of any published Elementor template managed by the Happy Addons plugin.

Such unauthorized modifications can alter how and when templates are displayed on your WordPress site, potentially disrupting site content or behavior.

Moreover, the Stored Cross-Site Scripting (XSS) aspect allows attackers to inject malicious JavaScript that executes in the context of administrators viewing the Template Conditions panel. This can lead to session hijacking, privilege escalation, or other malicious actions within the admin interface.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized AJAX requests to the Happy Addons for Elementor plugin, specifically targeting the `ha_condition_update` and `ha_get_current_condition` AJAX actions. Detection can focus on monitoring AJAX requests to these endpoints for suspicious activity, especially from users with Contributor-level access or higher.'}, {'type': 'paragraph', 'content': 'You can detect attempts to exploit this vulnerability by inspecting HTTP requests to the WordPress admin AJAX endpoint (`wp-admin/admin-ajax.php`) with the following parameters:'}, {'type': 'list_item', 'content': 'Action parameters: `ha_condition_update` or `ha_get_current_condition`'}, {'type': 'list_item', 'content': 'Requests made by authenticated users with Contributor or higher roles'}, {'type': 'paragraph', 'content': 'Suggested commands to detect such activity include using web server logs or network monitoring tools to filter requests. For example, using grep on Apache or Nginx logs:'}, {'type': 'list_item', 'content': "grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'ha_condition_update'"}, {'type': 'list_item', 'content': "grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'ha_get_current_condition'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring WordPress user activity logs for unexpected changes to `ha_library` templates or display conditions can help detect exploitation attempts.'}] [2, 3]

Mitigation Strategies

To mitigate this vulnerability, immediate steps include:

  • Update the Happy Addons for Elementor plugin to a version later than 3.21.0 where the vulnerability is fixed.
  • Restrict access to the WordPress admin area and AJAX endpoints to trusted users only, ensuring that users with Contributor-level access cannot exploit the vulnerability.
  • Implement web application firewall (WAF) rules to block or monitor suspicious AJAX requests targeting `ha_condition_update` and `ha_get_current_condition` actions.
  • Review and audit user roles and permissions to minimize the number of users with Contributor or higher privileges.

Longer term, ensure that plugins are kept up to date and monitor security advisories for any further patches or mitigations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2918. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart