WordPress Plugin Vulnerabilities

Happy Addons for Elementor < 3.10.0 - Contributor+ SSRF

Description

The plugin is vulnerable to Server-Side Request Forgery, allowing authenticated attackers, with contributor access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Affects Plugins

Plugin icon
happy-elementor-addons
Fixed in 3.10.0

References

CVE
CVE-2023-51676
URL
https://patchstack.com/database/vulnerability/happy-elementor-addons/wordpress-happy-addons-for-elementor-plugin-3-9-1-1-server-side-request-forgery-ssrf-vulnerability

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
3.8 (low)

Miscellaneous

Original Researcher
Yuchen Ji
Verified
No
WPVDB ID
565246ee-5122-4b60-83e9-0790cd7f3175

Timeline

Publicly Published
2023-12-27 (about 2 years ago)
Added
2024-01-04 (about 2 years ago)
Last Updated
2024-01-04 (about 2 years ago)

Other

Published
Title
Published
2025-10-03
Title
Orbit Fox < 3.0.2 - Author+ Server-Side Request Forgery
Published
2025-09-22
Title
Skimlinks Affiliate Marketing Tool <= 1.3 - Authenticated (Administrator+) Server-Side Request Forgery
Published
2025-11-18
Title
Icon List Block – Add Icon-Based Lists with Custom Styles < 1.2.2 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2025-12-04
Title
Time Sheets <= 2.1.3 - Use of Known Vulnerable Component
Published
2024-03-26
Title
AI Engine < 2.1.5 - Authenticated (Editor+) Server-Side Request Forgery