The Happy Addons for Elementor plugin suffers from an Insecure Direct Object Reference vulnerability (CWE-639) via the `ha_duplicate_thing` admin action handler. The authorization check uses `current_user_can('edit_posts')` which is a broad capability, instead of object-level checks like `current_user_can('edit_post', $post_id)`. Additionally, the nonce protecting the clone action is generic and not tied to a specific post ID, allowing attackers with Contributor or higher privileges to reuse a valid nonce from their own posts and change the `post_id` parameter to clone other users' posts. The cloning operation duplicates the entire post content, metadata (including sensitive widget configurations and API tokens), and taxonomies into a draft owned by the attacker. This can lead to unauthorized access to sensitive content and data within the WordPress environment.

Authenticated users with Contributor-level access or higher can clone any published post, page, or custom post type regardless of ownership. This unauthorized cloning exposes potentially sensitive post content, metadata, widget configurations, and API tokens to the attacker. The vulnerability does not allow direct modification or deletion but compromises confidentiality by unauthorized duplication of content and associated data.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Contributor-level access where possible and monitor for unusual cloning activity. Avoid granting unnecessary edit permissions to untrusted users. Follow updates from thehappymonster for an official patch or temporary workaround.