CVE-2026-1210
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to inject malicious scripts into pages using the Happy Addons for Elementor plugin. The scripts are stored and execute whenever users visit the compromised pages, enabling potential session hijacking, defacement, or malware distribution. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Happy Addons for Elementor WordPress plugin
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, redirect users to malicious sites, install backdoors, or completely compromise the WordPress site and potentially the underlying server.
Likely Case
Site defacement, cookie/session theft for lower-privileged users, or redirection to phishing/malware sites affecting visitors.
If Mitigated
Limited impact with proper Content Security Policy (CSP), input validation at WAF level, and regular security monitoring.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has Contributor-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.20.8 or later
Vendor Advisory: https://wordpress.org/plugins/happy-elementor-addons/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Happy Addons for Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Restrict User Roles
allTemporarily restrict or review Contributor-level user accounts until patch is applied.
Implement Content Security Policy
linuxAdd CSP headers to mitigate XSS impact by restricting script execution sources.
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or configure in web server settings
🧯 If You Can't Patch
- Disable the Happy Addons plugin completely if not essential
- Implement web application firewall (WAF) rules to block XSS payloads in '_elementor_data' parameter
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin → Plugins → Installed Plugins. If Happy Addons version is 3.20.7 or lower, you are vulnerable.Check Version:
wp plugin list --name=happy-elementor-addons --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, verify plugin version shows 3.20.8 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/admin-ajax.php with '_elementor_data' parameter containing script tags
- Multiple page updates from Contributor-level users
Network Indicators:
- Outbound connections to suspicious domains from your WordPress site
- Unexpected script loads in page responses
SIEM Query:
source="wordpress.log" AND "_elementor_data" AND ("<script>" OR "javascript:" OR "onload=" OR "onerror=")🔗 References
- https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.4/widgets/age-gate/widget.php#L2055
- https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.4/widgets/age-gate/widget.php#L2120
- https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.4/widgets/svg-draw/widget.php#L732
- https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/widgets/age-gate/widget.php#L2055
- https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/widgets/age-gate/widget.php#L2120
- https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/widgets/svg-draw/widget.php#L732
- https://plugins.trac.wordpress.org/changeset/3451894/happy-elementor-addons/trunk/widgets/svg-draw/widget.php?old=3312461&old_path=happy-elementor-addons%2Ftrunk%2Fwidgets%2Fsvg-draw%2Fwidget.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/df4b554a-0336-404c-b06c-2bc98c99997d?source=cve