CVE-2026-2918 MEDIUM

CVE-2026-2918: Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Stored Cross-Site Scripting via Template Conditions

Vendor Thehappymonster
Product Happy Addons for Elementor
Weakness CWE-639 · IDOR
Published March 11, 2026
Last update April 8, 2026

CVSS base score

6.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is due to the `validate_reqeust()` method using `current_user_can('edit_posts', $template_id)` instead of `current_user_can('edit_post', $template_id)` — failing to perform object-level authorization. Additionally, the `ha_get_current_condition` AJAX action lacks a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify the display conditions of any published `ha_library` template. Because the `cond_to_html()` renderer outputs condition values into HTML attributes without proper escaping (using string concatenation instead of `esc_attr()`), an attacker can inject event handler attributes (e.g., `onmouseover`) that execute JavaScript when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting.

Explanation of Vulnerability in Simple Terms

02Summary

Happy Addons for Elementor versions up to 3.21.0 contain an authorization flaw that allows authenticated users with low privileges to read or modify data across the site. The vulnerability affects scope beyond the plugin itself due to its integration with Elementor. Site administrators should update to a version newer than 3.21.0 as soon as available.

What an attacker can do

03Attacker Capabilities

Read or modify site data with low-level user account; impact extends beyond the plugin.

Potential impact on your site

04Site Impact

Authenticated users can access or alter content they shouldn't; data integrity and confidentiality at risk.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site; no user interaction required.

Key dates

06Disclosure timeline

March 11, 2026 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE