CVE-2026-2918 is a vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the Happy Addons for Elementor WordPress plugin, versions up to and including 3.21.0. The root cause lies in improper authorization checks within two AJAX actions: 'ha_condition_update' and 'ha_get_current_condition'. Specifically, the 'validate_reqeust()' method incorrectly uses 'current_user_can('edit_posts', $template_id)' instead of the correct 'current_user_can('edit_post', $template_id)', failing to enforce object-level authorization. This flaw allows authenticated users with Contributor-level privileges or higher to modify the display conditions of any published 'ha_library' template, which should normally be restricted. Furthermore, the 'ha_get_current_condition' AJAX action lacks any capability check, further exposing the system. Compounding the issue, the 'cond_to_html()' renderer outputs condition values directly into HTML attributes without proper escaping, using string concatenation instead of WordPress's 'esc_attr()' function. This improper output sanitization enables attackers to inject malicious event handler attributes, such as 'onmouseover', leading to stored cross-site scripting (XSS). When an administrator views the Template Conditions panel, the injected JavaScript executes, potentially compromising administrative sessions or enabling further attacks. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with network attack vector, low attack complexity, requiring privileges (Contributor or higher), no user interaction, and scope change. No patches or known exploits are currently reported, but the vulnerability poses a significant risk to sites using this plugin without mitigation.

The vulnerability allows authenticated users with Contributor-level access or higher to bypass intended authorization controls and modify display conditions of published templates, potentially altering site content or behavior in unauthorized ways. The stored XSS component can lead to session hijacking, privilege escalation, or deployment of malicious scripts when administrators access the affected panel, compromising site integrity and confidentiality. Although availability is not directly impacted, the integrity and confidentiality risks can lead to reputational damage, data leakage, and further exploitation. Organizations relying on the Happy Addons for Elementor plugin are at risk of unauthorized content manipulation and administrative account compromise, especially if multiple users have Contributor or higher privileges. The attack requires authentication but no additional user interaction, increasing the likelihood of exploitation in environments with multiple contributors. The lack of patches and public exploits suggests a window of exposure that must be addressed proactively.

Organizations should immediately review user roles and restrict Contributor-level or higher access to trusted users only. Implement strict role-based access controls to minimize the number of users who can exploit this vulnerability. Until an official patch is released, consider disabling or removing the Happy Addons for Elementor plugin if feasible. If removal is not possible, apply custom code filters or hooks to enforce proper capability checks on the affected AJAX actions, replacing 'current_user_can('edit_posts', $template_id)' with 'current_user_can('edit_post', $template_id)'. Additionally, sanitize all user-supplied input and output by overriding or patching the 'cond_to_html()' renderer to use 'esc_attr()' or equivalent escaping functions to prevent XSS. Monitor administrative access logs for suspicious activity, especially around template condition modifications. Educate administrators to be cautious when viewing the Template Conditions panel until the vulnerability is resolved. Stay updated with vendor advisories for official patches and apply them promptly once available.