Insecure Direct Object Reference in Happy Addons for Elementor Plugin by WordPress
CVE-2026-2918

6.4MEDIUM

Key Information:

Vendor

WordPress
Status
Happy Addons For Elementor
Vendor
CVE Published:
11 March 2026

What is CVE-2026-2918?

The Happy Addons for Elementor plugin for WordPress is susceptible to an Insecure Direct Object Reference due to improper authorization in the validate_request() method. This results in authenticated users with Contributor-level access being able to alter the display conditions of published ha_library templates. Additionally, the AJAX action ha_get_current_condition does not perform necessary capability checks. The vulnerability is further exacerbated by the cond_to_html() renderer, which outputs condition values into HTML attributes without proper escaping. This oversight permits attackers to inject event handler attributes, potentially leading to Stored Cross-Site Scripting (XSS) attacks when an administrator accesses the Template Conditions panel.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Happy Addons for Elementor * <= 3.21.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/happy-elemento...
https://plugins.trac.wordpress.org/browser/happy-elemento...

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dmitrii Ignatyev
JSON
.