Happy Addons for Elementor Insecure Direct Object Reference Vulnerability Allowing Authenticated Stored Cross-Site Scripting
Vulnerability
A vulnerability exists in the Happy Addons for Elementor WordPress plugin, specifically in versions up to and including 3.21.0. The issue is an Insecure Direct Object Reference (IDOR) that allows authenticated attackers with Contributor-level access or higher to manipulate the display conditions of any published 'ha_library' template. This vulnerability arises because the 'ha_condition_update' AJAX action fails to implement proper object-level authorization, allowing unauthorized modifications. Additionally, the 'ha_get_current_condition' AJAX action lacks a capability check, further exacerbating the issue. Exploitation of this vulnerability leads to Stored Cross-Site Scripting, as injected JavaScript is executed when an administrator views the Template Conditions panel.
Impact
Exploitation of this vulnerability allows for Insecure Direct Object Reference, enabling unauthorized modification of template conditions, and introduces a Stored Cross-Site Scripting risk, where injected scripts are executed in the context of the user viewing the template conditions.
Reproduction
To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can send a request to the 'ha_condition_update' AJAX action. The request must include a template ID and the conditions to be applied. The 'validate_request()' method will incorrectly authorize the request, allowing the user to modify the template conditions without proper permissions. After updating the conditions, the 'ha_get_current_condition' AJAX action can be used to retrieve the modified conditions, which will include any injected scripts. When an administrator views the Template Conditions panel, the injected JavaScript will be executed, demonstrating the Cross-Site Scripting vulnerability.
Remediation
Users are advised to update the Happy Addons for Elementor plugin to version 3.21.1 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.