CVE-2026-2917

Name of the Vulnerable Software and Affected Versions Happy Addons for Elementor versions through 3.21.0

Description The Happy Addons for Elementor plugin for WordPress is susceptible to an Insecure Direct Object Reference issue via the ha duplicate thing admin action handler. The can clone() method insufficiently verifies authorization, only checking current user can('edit posts') instead of performing object-level authorization like current user can('edit post', $post id). Additionally, the nonce is associated with the generic action name ha duplicate thing rather than a specific post ID. This allows authenticated attackers with Contributor-level access or higher to clone any published post, page, or custom post type by manipulating the post id parameter. The cloning process duplicates the complete post content, all post metadata—potentially including sensitive widget configurations and API tokens—and taxonomies, creating a new draft owned by the attacker.

Recommendations Happy Addons for Elementor versions through 3.21.0: Update to a version beyond 3.21.0.