CVE-2026-2917 MEDIUM

CVE-2026-2917: Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Post Duplication via 'post_id' Parameter

Vendor Thehappymonster
Product Happy Addons for Elementor
Weakness CWE-639 · IDOR
Published March 11, 2026
Last update April 8, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_duplicate_thing` admin action handler. This is due to the `can_clone()` method only checking `current_user_can('edit_posts')` (a general capability) without performing object-level authorization such as `current_user_can('edit_post', $post_id)`, and the nonce being tied to the generic action name `ha_duplicate_thing` rather than to a specific post ID. This makes it possible for authenticated attackers, with Contributor-level access and above, to clone any published post, page, or custom post type by obtaining a valid clone nonce from their own posts and changing the `post_id` parameter to target other users' content. The clone operation copies the full post content, all post metadata (including potentially sensitive widget configurations and API tokens), and taxonomies into a new draft owned by the attacker.

Explanation of Vulnerability in Simple Terms

02Summary

Happy Addons for Elementor versions up to 3.21.0 contain an authorization flaw that allows authenticated users to read and modify sensitive data. An attacker with a low-privilege account can access information and make changes they should not be permitted to. Update to a version newer than 3.21.0 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Read and modify sensitive data within the plugin as a low-privilege authenticated user.

Potential impact on your site

04Site Impact

Unauthorized users can access and alter plugin data, risking data integrity and confidentiality.

Conditions required to exploit

05Prerequisites

Attacker must have a valid user account with low-level permissions on the site.

Key dates

06Disclosure timeline

March 11, 2026 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE