CVE-2026-1210 is a stored cross-site scripting (XSS) vulnerability identified in the Happy Addons for Elementor plugin for WordPress, a popular plugin that extends Elementor page builder functionality. The vulnerability exists due to improper neutralization of input during web page generation, specifically within the '_elementor_data' meta field. This field is not adequately sanitized or escaped before being rendered, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code. Since the injected scripts are stored persistently in the database, they execute every time a user accesses the affected page, potentially compromising user sessions or enabling unauthorized actions. The vulnerability affects all versions up to and including 3.20.7. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported yet. The vulnerability highlights the risk of insufficient input validation and output encoding in WordPress plugins, especially those handling complex page data structures. Mitigation requires patching the plugin once updates are available or applying strict input validation and output escaping on the '_elementor_data' field. Additionally, limiting Contributor-level access and monitoring for suspicious activity can reduce risk.

The primary impact of this vulnerability is the potential for stored XSS attacks, which can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and possible privilege escalation within the WordPress environment. Since the vulnerability requires Contributor-level access, attackers must already have some level of authenticated access, but this is a common permission level for many WordPress sites allowing user-generated content. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, potentially impacting other users and site administrators. Exploitation could undermine the confidentiality and integrity of site data and user credentials, damaging trust and potentially leading to further compromise of the hosting environment. Given WordPress's widespread use globally, many organizations, including small businesses, blogs, and larger enterprises using Elementor with Happy Addons, could be affected. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits after public disclosure.

1. Apply official patches or updates from thehappymonster as soon as they are released to address this vulnerability. 2. If patches are not yet available, implement strict input validation and output escaping on the '_elementor_data' meta field to prevent script injection. 3. Restrict Contributor-level access to trusted users only, minimizing the risk of malicious content injection. 4. Employ Web Application Firewalls (WAFs) with rules targeting stored XSS patterns specific to Elementor and Happy Addons plugin data structures. 5. Regularly audit and monitor user-generated content and meta fields for suspicious scripts or anomalies. 6. Educate site administrators and users about the risks of XSS and encourage prompt reporting of unusual site behavior. 7. Consider disabling or limiting the use of the Happy Addons plugin temporarily if mitigation is not feasible until a patch is available. 8. Implement Content Security Policy (CSP) headers to reduce the impact of any injected scripts by restricting script sources and execution contexts.