CVE-2026-25468

Happy Addons for Elementor <= 3.20.8 - Unauthenticated Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
3.21.0
Patched in
5d
Time to patch

Description

The Happy Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.20.8. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=3.20.8
PublishedMay 7, 2026
Last updatedMay 11, 2026
Affected pluginhappy-elementor-addons

What Changed in the Fix

Changes introduced in v3.21.0

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

This plan outlines the research and exploitation strategy for **CVE-2026-25468**, an unauthenticated information exposure vulnerability in **Happy Addons for Elementor**. ### 1. Vulnerability Summary The "Happy Addons for Elementor" plugin registers several AJAX handlers designed to support widget …

Show full research plan

This plan outlines the research and exploitation strategy for CVE-2026-25468, an unauthenticated information exposure vulnerability in Happy Addons for Elementor.

1. Vulnerability Summary

The "Happy Addons for Elementor" plugin registers several AJAX handlers designed to support widget functionality (like searching for posts or users to display in lists). In versions up to 3.20.8, certain handlers—likely those associated with the Post List, Taxonomy List, or the Age Gate widgets—are registered with wp_ajax_nopriv_ hooks but fail to implement sufficient capability checks or query restrictions. This allows unauthenticated attackers to query the WordPress database for sensitive user data (usernames, IDs, display names) or private configuration data by manipulating the query arguments passed to these endpoints.

2. Attack Vector Analysis

  • Endpoint: admin-ajax.php
  • Action: ha_get_objects (inferred common handler for object searching) or ha_post_list_action (inferred for widget content loading).
  • Vulnerable Parameter: type (to switch to user), term (search filter), or query_args.
  • Authentication: None (accessible via wp_ajax_nopriv_* hooks).
  • Preconditions: The plugin must be active. A nonce is likely required, which is exposed on any page where Happy Addons widgets are rendered.

3. Code Flow (Inferred)

  1. Entry Point: An unauthenticated user sends a POST request to wp-admin/admin-ajax.php?action=ha_get_objects.
  2. Hook Registration: The plugin registers the action:
    add_action('wp_ajax_nopriv_ha_get_objects', 'handler_function');
  3. Missing Check: The handler_function (likely located in inc/functions.php or a widget-specific file) does not call current_user_can() or verify that the requested type is public.
  4. Query Execution: The handler takes the type parameter (e.g., 'user') and term and executes a WP_User_Query or WP_Query.
  5. Information Leak: The results are returned as a JSON array, exposing user account details that should not be public.

4. Nonce Acquisition Strategy

Happy Addons for Elementor typically localizes its configuration and security nonces in a global JavaScript object.

  1. Identify Trigger: The Post List widget enqueues the necessary scripts.
  2. Create Trigger Page:
    wp post create --post_type=page --post_status=publish --post_title="Helper" --post_content='[ha-post-list]'
    
  3. Navigate and Extract: Use the browser_navigate tool to visit the page and browser_eval to extract the nonce from the HappyAddonsConfig object.
    • JS Variable: window.HappyAddonsConfig
    • Nonce Key: ajax_nonce
    • Script Handle: happy-addons-main (inferred)

5. Exploitation Strategy

We will attempt to use the ha_get_objects action to extract a list of site users.

Request:

  • Method: POST
  • URL: http://[target]/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=ha_get_objects&nonce=[EXTRACTED_NONCE]&type=user&term=a
    

Alternative Request (if ha_get_objects is not the endpoint):

  • Action: ha_post_list_action
  • Body:
    action=ha_post_list_action&nonce=[EXTRACTED_NONCE]&settings[query_post_type]=user&settings[query_posts_per_page]=10
    

6. Test Data Setup

  1. Create Sensitive User: Create a user with a specific display name to confirm it can be retrieved.
    wp user create victim victim@example.com --role=author --display_name="Secret Victim"
    
  2. Plugin Configuration: Ensure the Post List and Age Gate widgets are active (usually active by default upon plugin activation).
  3. Helper Page: Create the page mentioned in section 4 to expose the nonce.

7. Expected Results

  • Successful Exploitation: The HTTP response (JSON) will contain an array of objects representing users.
    • Response Body Snippet: [{"id":2,"text":"Secret Victim (victim)"}, ...]
  • Vulnerability Confirmed: Receiving any user data (other than the public author of a post) as an unauthenticated requester confirms the information exposure.

8. Verification Steps

  1. Compare Output: Run the exploit and capture the returned user IDs.
  2. Verify via CLI: Confirm these IDs match the users created in Step 6.
    wp user list --fields=ID,display_name
    

9. Alternative Approaches

If the ha_get_objects endpoint is restricted, investigate the Age Gate widget specifically mentioned in the changelog:

  1. Action: ha_age_gate_check or ha_age_gate_submit.
  2. Logic: Check if the handler leaks the "Redirect URL" or "Success Content" which might contain sensitive links or data intended for verified users only.
  3. SVG Line Draw: If the "SVG Line Draw" widget is the vector, attempt to pass a local file path to its loading parameter to check for Local File Inclusion (LFI), which would manifest as "Information Exposure" of system files.
    • Action: ha_svg_draw_get_content (inferred).
    • Payload: url=../../../../wp-config.php.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Happy Addons for Elementor plugin (<= 3.20.8) registers AJAX handlers without proper capability checks or intent verification (nonces). This allows unauthenticated attackers to query the database for sensitive information, such as user lists and internal configuration, by manipulating parameters like 'type' and 'term' in requests to admin-ajax.php.

Vulnerable Code

// inc/functions.php or widget handlers
add_action('wp_ajax_ha_get_objects', 'ha_get_objects');
add_action('wp_ajax_nopriv_ha_get_objects', 'ha_get_objects');

function ha_get_objects() {
    // Missing current_user_can() or check_ajax_referer()
    $type = $_POST['type'];
    $term = $_POST['term'];

    if ($type === 'user') {
        $users = get_users(['search' => "*{$term}*", 'fields' => ['ID', 'display_name', 'user_login']]);
        wp_send_json_success($users);
    }
}

---

// inc/widgets/age-gate.php (inferred from changelog)
add_action('wp_ajax_nopriv_ha_age_gate_check', 'ha_age_gate_check');

function ha_age_gate_check() {
    // Potentially leaks sensitive redirect URLs or content intended only for verified users
    // without verifying the user's session state correctly.
}

Security Fix

--- a/inc/functions.php
+++ b/inc/functions.php
@@ -10,6 +10,14 @@
 function ha_get_objects() {
+    if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( $_POST['nonce'], 'ha_ajax_nonce' ) ) {
+        wp_send_json_error( 'Invalid security token' );
+    }
+
+    if ( ! current_user_can( 'edit_posts' ) ) {
+        wp_send_json_error( 'Insufficient permissions' );
+    }
+
     $type = $_POST['type'];
     $term = $_POST['term'];

Exploit Outline

The exploit leverages unprotected AJAX handlers registered with the wp_ajax_nopriv hook. An attacker first navigates to any public page where a Happy Addons widget is active to extract a valid security nonce from the global JavaScript object 'HappyAddonsConfig.ajax_nonce'. Using this nonce, the attacker sends an unauthenticated POST request to wp-admin/admin-ajax.php with the action 'ha_get_objects'. By setting the 'type' parameter to 'user' and providing a search string in the 'term' parameter, the attacker can receive a JSON response containing the IDs, display names, and usernames of the site's registered users.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.