Description
The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_duplicate_thing` admin action handler. This is due to the `can_clone()` method only checking `current_user_can('edit_posts')` (a general capability) without performing object-level authorization such as `current_user_can('edit_post', $post_id)`, and the nonce being tied to the generic action name `ha_duplicate_thing` rather than to a specific post ID. This makes it possible for authenticated attackers, with Contributor-level access and above, to clone any published post, page, or custom post type by obtaining a valid clone nonce from their own posts and changing the `post_id` parameter to target other users' content. The clone operation copies the full post content, all post metadata (including potentially sensitive widget configurations and API tokens), and taxonomies into a new draft owned by the attacker.
INFO
Published Date :
2026-03-11T07:36:25.496Z
Last Modified :
2026-03-11T07:36:25.496Z
Source :
Wordfence
AFFECTED PRODUCTS
The following products are affected by CVE-2026-2917 vulnerability.
No data.
REFERENCES
Here, you will find a curated list of external links that provide in-depth information to CVE-2026-2917.
