Happy Addons for Elementor Insecure Direct Object Reference Vulnerability Allowing Unauthorized Post Duplication

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the Happy Addons for Elementor WordPress plugin, affecting all versions through 3.21.0. The issue arises in the 'ha_duplicate_thing' admin action handler, where the 'can_clone()' method only verifies if a user can edit posts, without proper object-level authorization. This flaw enables authenticated users with Contributor-level access and above to clone any published content by manipulating the 'post_id' parameter. The cloned content, including sensitive metadata and widget configurations, is transferred to a new draft under the attacker's control.

Impact

Exploitation of this vulnerability allows for unauthorized duplication of posts, pages, or custom post types, potentially leading to the exposure of sensitive information contained in post metadata, such as API tokens and widget configurations.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can request the 'ha_duplicate_thing' action. The user must obtain a valid nonce from one of their own posts and then change the 'post_id' parameter to target a different user's published content. This can be done by manually crafting the request to include the desired 'post_id' and nonce.

Remediation

Users are advised to update the Happy Addons for Elementor plugin to version 3.21.1 or later.