WordPress Plugin Vulnerabilities

Happy Addons for Elementor < 3.10.2 - Missing Authorization via add_row_actions

Description

The Happy Addons for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the add_row_actions() function in versions up to, and including, 3.10.1. This makes it possible for authenticated attackers, with contributor-level access and above, to clone arbitrary posts, including password protected posts which may allow them to access the restricted posts content.

Affects Plugins

Plugin icon
happy-elementor-addons
Fixed in 3.10.2

References

CVE
CVE-2024-24833
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1b25df18-dd9a-4b24-8187-283d5f3f334e

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abu Hurayra (HurayraIIT)
Verified
No
WPVDB ID
cf2bd6aa-4211-4c2e-bfa2-6c8a6a3b02d0

Timeline

Publicly Published
2024-02-02 (about 2 years ago)
Added
2024-02-06 (about 2 years ago)
Last Updated
2024-02-06 (about 2 years ago)

Other

Published
Title
Published
2024-05-15
Title
Tutor LMS Pro < 2.7.1 - Missing Authorization
Published
2024-08-16
Title
Radio Player < 2.0.74 - Missing Authorization to Player Update
Published
2026-02-17
Title
ShopLentor < 3.3.3 - Unauthenticated Email Relay Abuse
Published
2026-01-11
Title
Penci AI SmartContent Creator <= 2.0 - Missing Authorization
Published
2025-03-04
Title
Zass - WooCommerce Theme for Handmade Artists and Artisans <= 3.9.9.10 - Missing Authorization to Authenticated (Subscriber+) Demo Import