CVE-2026-2918

{"id": "CVE-2026-2918", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 3.1}]}, "published": "2026-03-11T08:16:03.567", "references": [{"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/condition-manager.php#L237", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/condition-manager.php#L525", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/condition-manager.php#L237", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/condition-manager.php#L525", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3475242%40happy-elementor-addons%2Ftrunk&old=3463375%40happy-elementor-addons%2Ftrunk&sfp_email=&sfph_mail=", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a3fe49b-cc0d-4b29-aae5-46307483b8d4?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is due to the `validate_reqeust()` method using `current_user_can('edit_posts', $template_id)` instead of `current_user_can('edit_post', $template_id)` \u2014 failing to perform object-level authorization. Additionally, the `ha_get_current_condition` AJAX action lacks a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify the display conditions of any published `ha_library` template. Because the `cond_to_html()` renderer outputs condition values into HTML attributes without proper escaping (using string concatenation instead of `esc_attr()`), an attacker can inject event handler attributes (e.g., `onmouseover`) that execute JavaScript when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting."}, {"lang": "es", "value": "El plugin Happy Addons para Elementor para WordPress es vulnerable a Referencia Directa a Objeto Insegura en todas las versiones hasta la 3.21.0, inclusive, a trav\u00e9s de la acci\u00f3n AJAX 'ha_condition_update'. Esto se debe a que el m\u00e9todo 'validate_reqeust()' usa 'current_user_can('edit_posts', $template_id)' en lugar de 'current_user_can('edit_post', $template_id)' \u2014 lo que impide realizar una autorizaci\u00f3n a nivel de objeto. Adem\u00e1s, la acci\u00f3n AJAX 'ha_get_current_condition' carece de una verificaci\u00f3n de capacidad. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador o superior, modifiquen las condiciones de visualizaci\u00f3n de cualquier plantilla 'ha_library' publicada. Debido a que el renderizador 'cond_to_html()' genera valores de condici\u00f3n en atributos HTML sin un escape adecuado (usando concatenaci\u00f3n de cadenas en lugar de 'esc_attr()'), un atacante puede inyectar atributos de gestor de eventos (por ejemplo, 'onmouseover') que ejecutan JavaScript cuando un administrador ve el panel de Condiciones de Plantilla, lo que resulta en Cross-Site Scripting Almacenado."}], "lastModified": "2026-04-22T21:27:27.950", "sourceIdentifier": "security@wordfence.com"}