CVE-2026-2917

Description

The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_duplicate_thing` admin action handler. This is due to the `can_clone()` method only checking `current_user_can('edit_posts')` (a general capability) without performing object-level authorization such as `current_user_can('edit_post', $post_id)`, and the nonce being tied to the generic action name `ha_duplicate_thing` rather than to a specific post ID. This makes it possible for authenticated attackers, with Contributor-level access and above, to clone any published post, page, or custom post type by obtaining a valid clone nonce from their own posts and changing the `post_id` parameter to target other users' content. The clone operation copies the full post content, all post metadata (including potentially sensitive widget configurations and API tokens), and taxonomies into a new draft owned by the attacker.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/9234b1ce-032f-487d-b60a-f80c78373238?source=cve

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3475242%40happy-elementor-addons%2Ftrunk&old=3463375%40happy-elementor-addons%2Ftrunk&sfp_email=&sfph_mail=

https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/clone-handler.php#L61

https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/clone-handler.php#L21

https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/clone-handler.php#L61

https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/clone-handler.php#L21

Details

Source: Mitre, NVD

Risk Information

CVSS v2

CVSS v3

EPSS