CVE-2026-2918
IDOR and Stored XSS in Happy Addons for Elementor Plugin
Publication date: 2026-03-11
Last updated on: 2026-03-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| happy_addons | happy_elementor_addons | to 3.21.0 (inc) |
| happy_addons | happy_elementor_addons | 3.20.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2918 is a vulnerability in the Happy Addons for Elementor WordPress plugin, affecting all versions up to and including 3.21.0. It involves an Insecure Direct Object Reference (IDOR) due to improper authorization checks in AJAX actions related to updating and retrieving template display conditions.
Specifically, the method `validate_reqeust()` incorrectly uses `current_user_can('edit_posts', $template_id)` instead of the more precise `current_user_can('edit_post', $template_id)`, failing to enforce object-level permissions. Additionally, the `ha_get_current_condition` AJAX action lacks any capability check.
This allows authenticated users with Contributor-level access or higher to modify the display conditions of any published `ha_library` template. Furthermore, because the renderer outputs condition values into HTML attributes without proper escaping, an attacker can inject malicious JavaScript event handlers (e.g., `onmouseover`) that execute when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting (XSS).
How can this vulnerability impact me? :
This vulnerability can impact you by allowing authenticated users with relatively low privileges (Contributor-level and above) to modify the display conditions of any published Elementor template managed by the Happy Addons plugin.
Such unauthorized modifications can alter how and when templates are displayed on your WordPress site, potentially disrupting site content or behavior.
Moreover, the Stored Cross-Site Scripting (XSS) aspect allows attackers to inject malicious JavaScript that executes in the context of administrators viewing the Template Conditions panel. This can lead to session hijacking, privilege escalation, or other malicious actions within the admin interface.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized AJAX requests to the Happy Addons for Elementor plugin, specifically targeting the `ha_condition_update` and `ha_get_current_condition` AJAX actions. Detection can focus on monitoring AJAX requests to these endpoints for suspicious activity, especially from users with Contributor-level access or higher.'}, {'type': 'paragraph', 'content': 'You can detect attempts to exploit this vulnerability by inspecting HTTP requests to the WordPress admin AJAX endpoint (`wp-admin/admin-ajax.php`) with the following parameters:'}, {'type': 'list_item', 'content': 'Action parameters: `ha_condition_update` or `ha_get_current_condition`'}, {'type': 'list_item', 'content': 'Requests made by authenticated users with Contributor or higher roles'}, {'type': 'paragraph', 'content': 'Suggested commands to detect such activity include using web server logs or network monitoring tools to filter requests. For example, using grep on Apache or Nginx logs:'}, {'type': 'list_item', 'content': "grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'ha_condition_update'"}, {'type': 'list_item', 'content': "grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'ha_get_current_condition'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring WordPress user activity logs for unexpected changes to `ha_library` templates or display conditions can help detect exploitation attempts.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediate steps include:
- Update the Happy Addons for Elementor plugin to a version later than 3.21.0 where the vulnerability is fixed.
- Restrict access to the WordPress admin area and AJAX endpoints to trusted users only, ensuring that users with Contributor-level access cannot exploit the vulnerability.
- Implement web application firewall (WAF) rules to block or monitor suspicious AJAX requests targeting `ha_condition_update` and `ha_get_current_condition` actions.
- Review and audit user roles and permissions to minimize the number of users with Contributor or higher privileges.
Longer term, ensure that plugins are kept up to date and monitor security advisories for any further patches or mitigations.