CVE-2026-2917
Description
The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the ha_duplicate_thing admin action handler. This is due to the can_clone() method only checking current_user_can('edit_posts') (a general capability) without performing object-level authorization such as current_user_can('edit_post', $post_id), and the nonce being tied to the generic action name ha_duplicate_thing rather than to a specific post ID. This makes it possible for authenticated attackers, with Contributor-level access and above, to clone any published post, page, or custom post type by obtaining a valid clone nonce from their own posts and changing the post_id parameter to target other users' content. The clone operation copies the full post content, all post metadata (including potentially sensitive widget configurations and API tokens), and taxonomies into a new draft owned by the attacker.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/clone-handler.phpnvd
- plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/clone-handler.phpnvd
- plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/clone-handler.phpnvd
- plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/clone-handler.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/9234b1ce-032f-487d-b60a-f80c78373238nvd
News mentions
0No linked articles in our index yet.