CVE-2026-2918
Description
The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the ha_condition_update AJAX action. This is due to the validate_reqeust() method using current_user_can('edit_posts', $template_id) instead of current_user_can('edit_post', $template_id) — failing to perform object-level authorization. Additionally, the ha_get_current_condition AJAX action lacks a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify the display conditions of any published ha_library template. Because the cond_to_html() renderer outputs condition values into HTML attributes without proper escaping (using string concatenation instead of esc_attr()), an attacker can inject event handler attributes (e.g., onmouseover) that execute JavaScript when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/condition-manager.phpnvd
- plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/condition-manager.phpnvd
- plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/condition-manager.phpnvd
- plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/condition-manager.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/1a3fe49b-cc0d-4b29-aae5-46307483b8d4nvd
News mentions
0No linked articles in our index yet.