WordPress Plugin Vulnerabilities

Happy Addons for Elementor < 3.12.4 - Missing Authorization

Description

The Happy Addons for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the validate_reqeust() function in versions up to, and including, 3.12.3. This makes it possible for authenticated attackers, with contributor-level access and above, to view draft/private/password protected templates.

Affects Plugins

Plugin icon
happy-elementor-addons
Fixed in 3.12.4

References

CVE
CVE-2024-48045
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1fc447bc-841c-443f-9949-a0d852762fd9

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
2837da6c-b841-410c-b45f-1083dd4f2588

Timeline

Publicly Published
2024-10-13 (about 1 year ago)
Added
2024-10-18 (about 1 year ago)
Last Updated
2024-10-18 (about 1 year ago)

Other

Published
Title
Published
2025-06-05
Title
WP Email Debug 1.0 - 1.1.0 - Missing Authorization to Unauthenticated Privilege Escalation via Password Reset
Published
2024-03-29
Title
SP Project & Document Manager <= 4.70 - Missing Authorization Stored Cross-Site Scripting
Published
2026-01-25
Title
Bannerize Pro < 1.11.1 - Missing Authorization
Published
2025-01-16
Title
Goldstar <= 2.1.1 - Missing Authorization
Published
2025-12-15
Title
Image Caption Hover Pro < 20.0 - Missing Authorization