CVE-2026-2918 (GCVE-0-2026-2918)

Vulnerability from cvelistv5 – Published: 2026-03-11 07:36 – Updated: 2026-04-08 16:38
VLAI?
Title
Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Stored Cross-Site Scripting via Template Conditions
Summary
The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is due to the `validate_reqeust()` method using `current_user_can('edit_posts', $template_id)` instead of `current_user_can('edit_post', $template_id)` — failing to perform object-level authorization. Additionally, the `ha_get_current_condition` AJAX action lacks a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify the display conditions of any published `ha_library` template. Because the `cond_to_html()` renderer outputs condition values into HTML attributes without proper escaping (using string concatenation instead of `esc_attr()`), an attacker can inject event handler attributes (e.g., `onmouseover`) that execute JavaScript when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting.
Severity ?
6.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
thehappymonster Happy Addons for Elementor Affected: 0 , ≤ 3.21.0 (semver)
Create a notification for this product.
Credits
Dmitrii Ignatyev
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2918",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-11T13:46:29.268891Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-11T13:46:42.006Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Happy Addons for Elementor",
          "vendor": "thehappymonster",
          "versions": [
            {
              "lessThanOrEqual": "3.21.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dmitrii Ignatyev"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is due to the `validate_reqeust()` method using `current_user_can(\u0027edit_posts\u0027, $template_id)` instead of `current_user_can(\u0027edit_post\u0027, $template_id)` \u2014 failing to perform object-level authorization. Additionally, the `ha_get_current_condition` AJAX action lacks a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify the display conditions of any published `ha_library` template. Because the `cond_to_html()` renderer outputs condition values into HTML attributes without proper escaping (using string concatenation instead of `esc_attr()`), an attacker can inject event handler attributes (e.g., `onmouseover`) that execute JavaScript when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:38:03.144Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a3fe49b-cc0d-4b29-aae5-46307483b8d4?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/condition-manager.php#L237"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/condition-manager.php#L525"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/condition-manager.php#L237"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/condition-manager.php#L525"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3475242%40happy-elementor-addons%2Ftrunk\u0026old=3463375%40happy-elementor-addons%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-20T22:05:13.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-03-10T19:04:44.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Happy Addons for Elementor \u003c= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Stored Cross-Site Scripting via Template Conditions"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-2918",
    "datePublished": "2026-03-11T07:36:23.620Z",
    "dateReserved": "2026-02-20T21:49:53.519Z",
    "dateUpdated": "2026-04-08T16:38:03.144Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-2918",
      "date": "2026-04-22",
      "epss": "0.00041",
      "percentile": "0.12394"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-2918\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2026-03-11T08:16:03.567\",\"lastModified\":\"2026-04-22T21:27:27.950\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is due to the `validate_reqeust()` method using `current_user_can(\u0027edit_posts\u0027, $template_id)` instead of `current_user_can(\u0027edit_post\u0027, $template_id)` \u2014 failing to perform object-level authorization. Additionally, the `ha_get_current_condition` AJAX action lacks a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify the display conditions of any published `ha_library` template. Because the `cond_to_html()` renderer outputs condition values into HTML attributes without proper escaping (using string concatenation instead of `esc_attr()`), an attacker can inject event handler attributes (e.g., `onmouseover`) that execute JavaScript when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting.\"},{\"lang\":\"es\",\"value\":\"El plugin Happy Addons para Elementor para WordPress es vulnerable a Referencia Directa a Objeto Insegura en todas las versiones hasta la 3.21.0, inclusive, a trav\u00e9s de la acci\u00f3n AJAX \u0027ha_condition_update\u0027. Esto se debe a que el m\u00e9todo \u0027validate_reqeust()\u0027 usa \u0027current_user_can(\u0027edit_posts\u0027, $template_id)\u0027 en lugar de \u0027current_user_can(\u0027edit_post\u0027, $template_id)\u0027 \u2014 lo que impide realizar una autorizaci\u00f3n a nivel de objeto. Adem\u00e1s, la acci\u00f3n AJAX \u0027ha_get_current_condition\u0027 carece de una verificaci\u00f3n de capacidad. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador o superior, modifiquen las condiciones de visualizaci\u00f3n de cualquier plantilla \u0027ha_library\u0027 publicada. Debido a que el renderizador \u0027cond_to_html()\u0027 genera valores de condici\u00f3n en atributos HTML sin un escape adecuado (usando concatenaci\u00f3n de cadenas en lugar de \u0027esc_attr()\u0027), un atacante puede inyectar atributos de gestor de eventos (por ejemplo, \u0027onmouseover\u0027) que ejecutan JavaScript cuando un administrador ve el panel de Condiciones de Plantilla, lo que resulta en Cross-Site Scripting Almacenado.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/condition-manager.php#L237\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/condition-manager.php#L525\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/condition-manager.php#L237\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/condition-manager.php#L525\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3475242%40happy-elementor-addons%2Ftrunk\u0026old=3463375%40happy-elementor-addons%2Ftrunk\u0026sfp_email=\u0026sfph_mail=\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/1a3fe49b-cc0d-4b29-aae5-46307483b8d4?source=cve\",\"source\":\"security@wordfence.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-2918\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-11T13:46:29.268891Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-11T13:46:36.534Z\"}}], \"cna\": {\"title\": \"Happy Addons for Elementor \u003c= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Stored Cross-Site Scripting via Template Conditions\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Dmitrii Ignatyev\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 6.4, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\"}}], \"affected\": [{\"vendor\": \"thehappymonster\", \"product\": \"Happy Addons for Elementor\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"3.21.0\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-02-20T22:05:13.000Z\", \"value\": \"Vendor Notified\"}, {\"lang\": \"en\", \"time\": \"2026-03-10T19:04:44.000Z\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/1a3fe49b-cc0d-4b29-aae5-46307483b8d4?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/condition-manager.php#L237\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/condition-manager.php#L525\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/condition-manager.php#L237\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/condition-manager.php#L525\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3475242%40happy-elementor-addons%2Ftrunk\u0026old=3463375%40happy-elementor-addons%2Ftrunk\u0026sfp_email=\u0026sfph_mail=\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is due to the `validate_reqeust()` method using `current_user_can(\u0027edit_posts\u0027, $template_id)` instead of `current_user_can(\u0027edit_post\u0027, $template_id)` \\u2014 failing to perform object-level authorization. Additionally, the `ha_get_current_condition` AJAX action lacks a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify the display conditions of any published `ha_library` template. Because the `cond_to_html()` renderer outputs condition values into HTML attributes without proper escaping (using string concatenation instead of `esc_attr()`), an attacker can inject event handler attributes (e.g., `onmouseover`) that execute JavaScript when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639 Authorization Bypass Through User-Controlled Key\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2026-04-08T16:38:03.144Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-2918\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-08T16:38:03.144Z\", \"dateReserved\": \"2026-02-20T21:49:53.519Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2026-03-11T07:36:23.620Z\", \"assignerShortName\": \"Wordfence\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.