CVE-2026-2918

Name of the Vulnerable Software and Affected Versions Happy Addons for Elementor versions prior to 3.21.1

Description The Happy Addons for Elementor plugin for WordPress is subject to an Insecure Direct Object Reference issue and Stored Cross-Site Scripting. The issue stems from insufficient object-level authorization checks in the validate reqeust() method, which uses current user can('edit posts', $template id) instead of current user can('edit post', $template id). The ha get current condition AJAX action also lacks a capability check. This allows authenticated attackers with Contributor-level access or higher to modify display conditions of any published ha library template. The cond to html() renderer does not properly escape output, using string concatenation instead of esc attr(), enabling the injection of event handler attributes like onmouseover that can execute JavaScript when an administrator views the Template Conditions panel.

Recommendations Update Happy Addons for Elementor to version 3.21.1 or later.