{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2917", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-20T20:58:53.545Z", "datePublished": "2026-03-11T07:36:25.496Z", "dateUpdated": "2026-04-08T17:09:21.829Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:21.829Z"}, "affected": [{"vendor": "thehappymonster", "product": "Happy Addons for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.21.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_duplicate_thing` admin action handler. This is due to the `can_clone()` method only checking `current_user_can('edit_posts')` (a general capability) without performing object-level authorization such as `current_user_can('edit_post', $post_id)`, and the nonce being tied to the generic action name `ha_duplicate_thing` rather than to a specific post ID. This makes it possible for authenticated attackers, with Contributor-level access and above, to clone any published post, page, or custom post type by obtaining a valid clone nonce from their own posts and changing the `post_id` parameter to target other users' content. The clone operation copies the full post content, all post metadata (including potentially sensitive widget configurations and API tokens), and taxonomies into a new draft owned by the attacker."}], "title": "Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Post Duplication via 'post_id' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9234b1ce-032f-487d-b60a-f80c78373238?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/clone-handler.php#L21"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/clone-handler.php#L61"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/clone-handler.php#L21"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/clone-handler.php#L61"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3475242%40happy-elementor-addons%2Ftrunk&old=3463375%40happy-elementor-addons%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2026-02-20T21:14:05.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-10T19:07:37.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T13:48:26.470266Z", "id": "CVE-2026-2917", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T13:50:03.782Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2917", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T13:48:26.470266Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T13:49:57.248Z"}}], "cna": {"title": "Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Post Duplication via 'post_id' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "thehappymonster", "product": "Happy Addons for Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.21.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-20T21:14:05.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-10T19:07:37.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9234b1ce-032f-487d-b60a-f80c78373238?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/clone-handler.php#L21"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/clone-handler.php#L61"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/clone-handler.php#L21"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/clone-handler.php#L61"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3475242%40happy-elementor-addons%2Ftrunk&old=3463375%40happy-elementor-addons%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_duplicate_thing` admin action handler. This is due to the `can_clone()` method only checking `current_user_can('edit_posts')` (a general capability) without performing object-level authorization such as `current_user_can('edit_post', $post_id)`, and the nonce being tied to the generic action name `ha_duplicate_thing` rather than to a specific post ID. This makes it possible for authenticated attackers, with Contributor-level access and above, to clone any published post, page, or custom post type by obtaining a valid clone nonce from their own posts and changing the `post_id` parameter to target other users' content. The clone operation copies the full post content, all post metadata (including potentially sensitive widget configurations and API tokens), and taxonomies into a new draft owned by the attacker."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:21.829Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2917", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:09:21.829Z", "dateReserved": "2026-02-20T20:58:53.545Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-11T07:36:25.496Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_duplicate_thing` admin action handler. This is due to the `can_clone()` method only checking `current_user_can('edit_posts')` (a general capability) without performing object-level authorization such as `current_user_can('edit_post', $post_id)`, and the nonce being tied to the generic action name `ha_duplicate_thing` rather than to a specific post ID. This makes it possible for authenticated attackers, with Contributor-level access and above, to clone any published post, page, or custom post type by obtaining a valid clone nonce from their own posts and changing the `post_id` parameter to target other users' content. The clone operation copies the full post content, all post metadata (including potentially sensitive widget configurations and API tokens), and taxonomies into a new draft owned by the attacker."}, {"lang": "es", "value": "El plugin Happy Addons for Elementor para WordPress es vulnerable a Referencia Directa Insegura a Objeto en todas las versiones hasta la 3.21.0, inclusive, a trav\u00e9s del gestor de acci\u00f3n de administraci\u00f3n 'ha_duplicate_thing'. Esto se debe a que el m\u00e9todo 'can_clone()' solo verifica 'current_user_can('edit_posts')' (una capacidad general) sin realizar una autorizaci\u00f3n a nivel de objeto como 'current_user_can('edit_post', $post_id)', y a que el nonce est\u00e1 vinculado al nombre de acci\u00f3n gen\u00e9rico 'ha_duplicate_thing' en lugar de a un ID de publicaci\u00f3n espec\u00edfico. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador o superior, clonen cualquier publicaci\u00f3n, p\u00e1gina o tipo de publicaci\u00f3n personalizada publicada obteniendo un nonce de clonaci\u00f3n v\u00e1lido de sus propias publicaciones y cambiando el par\u00e1metro 'post_id' para apuntar al contenido de otros usuarios. La operaci\u00f3n de clonaci\u00f3n copia el contenido completo de la publicaci\u00f3n, todos los metadatos de la publicaci\u00f3n (incluidas configuraciones de widgets y tokens de API potencialmente sensibles) y taxonom\u00edas en un nuevo borrador propiedad del atacante."}], "id": "CVE-2026-2917", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-11T08:16:03.367", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/clone-handler.php#L21"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/clone-handler.php#L61"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/clone-handler.php#L21"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/clone-handler.php#L61"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3475242%40happy-elementor-addons%2Ftrunk&old=3463375%40happy-elementor-addons%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9234b1ce-032f-487d-b60a-f80c78373238?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.21.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Happy Addons for Elementor", "source": "cna", "vendor": "thehappymonster"}, "product": "happy_addons_for_elementor", "vendor": "thehappymonster"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-17T15:32:01.115039+00:00", "value": {"mitigation_remediation": ["Upgrade Happy Addons for Elementor to version 3.21.1 or newer.", "Limit Contributor users to only the necessary capabilities; remove the 'edit_posts' capability if not required.", "Verify that post duplication requires 'edit_post' permission for the specific post ID.", "Monitor the WordPress admin dashboard for unauthorized draft clones.", "Check the vendor\u2019s security advisories for any further patches or updates."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Post Duplication & Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "All installed instances of the Happy Addons for Elementor plugin for WordPress up to and including version 3.21.0, provided by the vendor thehappymonster, are affected. The plugin versions 3.21.1 and newer are not impacted.", "description_and_impact": "The vulnerability in Happy Addons for Elementor arises from an Insecure Direct Object Reference (IDOR) in the admin action handler 'ha_duplicate_thing'. The can_clone() method verifies only that the user has the generic capability 'edit_posts', but it fails to confirm that the user has edit permission for the specific target post. Additionally, the nonce is bound to the generic action name instead of the post ID. This allows any authenticated user with Contributor-level privileges or higher to obtain a valid clone nonce from their own posts, change the post_id parameter, and clone any published post, page, or custom post type. The clone operation copies the full post content, all metadata including potentially sensitive widget configurations and API tokens, and taxonomies into a new draft owned by the attacker, leading to confidential data exposure and content tampering. This flaw is identified as CWE-639.", "risk_and_exploitability": "The CVSS score is 5.4, indicating moderate severity; the EPSS score is below 1%, implying a low probability of exploitation in the wild at present. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated and possess at least Contributor-level capabilities to exploit the issue. They can simply retrieve a clone nonce from one of their own posts and modify the post_id parameter to target an arbitrary post. Once cloned, the attacker can publish or edit the newly created draft, potentially escalating the damage. Because no privilege escalation is involved, the threat is primarily to confidentiality and integrity of content rather than system access."}}}}, "created": "2026-03-12T10:06:15.354903+00:00", "updated": "2026-03-20T14:37:36.355018+00:00", "vendors": ["thehappymonster", "thehappymonster$PRODUCT$happy_addons_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}