{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2918", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-20T21:49:53.519Z", "datePublished": "2026-03-11T07:36:23.620Z", "dateUpdated": "2026-04-08T16:38:03.144Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:38:03.144Z"}, "affected": [{"vendor": "thehappymonster", "product": "Happy Addons for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.21.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is due to the `validate_reqeust()` method using `current_user_can('edit_posts', $template_id)` instead of `current_user_can('edit_post', $template_id)` \u2014 failing to perform object-level authorization. Additionally, the `ha_get_current_condition` AJAX action lacks a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify the display conditions of any published `ha_library` template. Because the `cond_to_html()` renderer outputs condition values into HTML attributes without proper escaping (using string concatenation instead of `esc_attr()`), an attacker can inject event handler attributes (e.g., `onmouseover`) that execute JavaScript when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting."}], "title": "Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Stored Cross-Site Scripting via Template Conditions", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a3fe49b-cc0d-4b29-aae5-46307483b8d4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/condition-manager.php#L237"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/condition-manager.php#L525"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/condition-manager.php#L237"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/condition-manager.php#L525"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3475242%40happy-elementor-addons%2Ftrunk&old=3463375%40happy-elementor-addons%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2026-02-20T22:05:13.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-10T19:04:44.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T13:46:29.268891Z", "id": "CVE-2026-2918", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T13:46:42.006Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2918", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T13:46:29.268891Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T13:46:36.534Z"}}], "cna": {"title": "Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Stored Cross-Site Scripting via Template Conditions", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "thehappymonster", "product": "Happy Addons for Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.21.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-20T22:05:13.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-10T19:04:44.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a3fe49b-cc0d-4b29-aae5-46307483b8d4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/condition-manager.php#L237"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/condition-manager.php#L525"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/condition-manager.php#L237"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/condition-manager.php#L525"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3475242%40happy-elementor-addons%2Ftrunk&old=3463375%40happy-elementor-addons%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is due to the `validate_reqeust()` method using `current_user_can('edit_posts', $template_id)` instead of `current_user_can('edit_post', $template_id)` \u2014 failing to perform object-level authorization. Additionally, the `ha_get_current_condition` AJAX action lacks a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify the display conditions of any published `ha_library` template. Because the `cond_to_html()` renderer outputs condition values into HTML attributes without proper escaping (using string concatenation instead of `esc_attr()`), an attacker can inject event handler attributes (e.g., `onmouseover`) that execute JavaScript when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:38:03.144Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2918", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:38:03.144Z", "dateReserved": "2026-02-20T21:49:53.519Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-11T07:36:23.620Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is due to the `validate_reqeust()` method using `current_user_can('edit_posts', $template_id)` instead of `current_user_can('edit_post', $template_id)` \u2014 failing to perform object-level authorization. Additionally, the `ha_get_current_condition` AJAX action lacks a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify the display conditions of any published `ha_library` template. Because the `cond_to_html()` renderer outputs condition values into HTML attributes without proper escaping (using string concatenation instead of `esc_attr()`), an attacker can inject event handler attributes (e.g., `onmouseover`) that execute JavaScript when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting."}, {"lang": "es", "value": "El plugin Happy Addons para Elementor para WordPress es vulnerable a Referencia Directa a Objeto Insegura en todas las versiones hasta la 3.21.0, inclusive, a trav\u00e9s de la acci\u00f3n AJAX 'ha_condition_update'. Esto se debe a que el m\u00e9todo 'validate_reqeust()' usa 'current_user_can('edit_posts', $template_id)' en lugar de 'current_user_can('edit_post', $template_id)' \u2014 lo que impide realizar una autorizaci\u00f3n a nivel de objeto. Adem\u00e1s, la acci\u00f3n AJAX 'ha_get_current_condition' carece de una verificaci\u00f3n de capacidad. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador o superior, modifiquen las condiciones de visualizaci\u00f3n de cualquier plantilla 'ha_library' publicada. Debido a que el renderizador 'cond_to_html()' genera valores de condici\u00f3n en atributos HTML sin un escape adecuado (usando concatenaci\u00f3n de cadenas en lugar de 'esc_attr()'), un atacante puede inyectar atributos de gestor de eventos (por ejemplo, 'onmouseover') que ejecutan JavaScript cuando un administrador ve el panel de Condiciones de Plantilla, lo que resulta en Cross-Site Scripting Almacenado."}], "id": "CVE-2026-2918", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-11T08:16:03.567", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/condition-manager.php#L237"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/condition-manager.php#L525"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/condition-manager.php#L237"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/condition-manager.php#L525"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3475242%40happy-elementor-addons%2Ftrunk&old=3463375%40happy-elementor-addons%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a3fe49b-cc0d-4b29-aae5-46307483b8d4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.21.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Happy Addons for Elementor", "source": "cna", "vendor": "thehappymonster"}, "product": "happy_addons_for_elementor", "vendor": "thehappymonster"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-17T15:32:07.572245+00:00", "value": {"mitigation_remediation": ["Upgrade Happy Addons for Elementor to version 3.22.0 or later.", "If an immediate upgrade is not possible, restrict Contributor permissions or convert those users to a lower role that cannot edit posts.", "Consider disabling or restricting access to the vulnerable AJAX actions \"ha_condition_update\" and \"ha_get_current_condition\" by using a firewall or plugin security tool.", "Check the site for any injected JavaScript or malicious content and remove it.", "Verify that other sites\u2019 plugins and themes are up to date and free from similar authorization or XSS flaws."], "summary": {"action": "Update Plugin", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of the Happy Addons for Elementor plugin running versions up to and including 3.21.0 are affected. The plugin is distributed by thehappymonster and the vulnerability exists in the core condition\u2011management code of the plugin.", "description_and_impact": "The vulnerability in Happy Addons for Elementor allows an authenticated user with Contributor or higher privileges to modify the display conditions of any published \"ha_library\" template. The missing object\u2011level authorization and lack of capability checks on AJAX actions let the attacker modify conditions and inject unescaped attribute values into the template rendering. This results in a stored Cross\u2011Site Scripting (XSS) that is triggered when an administrator opens the Template Conditions panel, enabling the attacker to execute arbitrary JavaScript with the administrator\u2019s privileges. The weakness corresponds to CWE\u2011639 (Access Control Weakness).", "risk_and_exploitability": "The CVSS score is 6.4, indicating a medium severity, while the EPSS score is below 1% and the vulnerability is not listed in CISA\u2019s KEV catalog, marking it as a low probability but potentially impactful issue. Exploitation requires web\u2011based access to the site\u2019s admin area and the victim merely needs any user that holds the Contributor role or higher to perform the AJAX request. The attack vector is authenticated and does not require additional privileges beyond the standard Contributor capability. If the attacker can observe an administrator viewing the conditions panel, the XSS payload will execute immediately."}}}}, "created": "2026-03-12T10:06:17.985513+00:00", "updated": "2026-03-20T14:37:39.005439+00:00", "vendors": ["thehappymonster", "thehappymonster$PRODUCT$happy_addons_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}