Happy Addons for Elementor Vulnerability – Authenticated Stored Cross-Site Scripting via Calendly Widget – CVE-2024-3890 | WordPress Plugin Vulnerability Report 

Plugin Name: Happy Addons for Elementor

Key Information:

  • Software Type: Plugin
  • Software Slug: happy-elementor-addons
  • Software Status: Active
  • Software Author: thehappymonster
  • Software Downloads: 6,800,239
  • Active Installs: 400,000
  • Last Updated: May 10, 2024
  • Patched Versions: 3.10.7
  • Affected Versions: <= 3.10.6

Vulnerability Details:

  • Name: Happy Addons for Elementor <= 3.10.6
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Calendly Widget
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-3890
  • CVSS Score: 6.4
  • Publicly Published: April 25, 2024
  • Researcher: Ngô Thiên An (ancorn_) - VNPT-VCI
  • Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the Calendly widget in all versions up to, and including, 3.10.6. This vulnerability arises due to insufficient input sanitization and output escaping on user-supplied attributes, allowing authenticated attackers with contributor-level access and above to inject arbitrary web scripts that execute whenever a user accesses an injected page.
  • References: Wordfence - Calendly Widget XSS


The Happy Addons for Elementor plugin for WordPress has a vulnerability in versions up to and including 3.10.6 that enables stored cross-site scripting via the Calendly widget. This vulnerability has been patched in version 3.10.7.

Detailed Overview:

This vulnerability was discovered by researcher Ngô Thiên An and involves a common web security flaw known as stored XSS, which can lead to unauthorized script execution affecting site visitors. The specific vulnerability within the Calendly widget of the Happy Addons for Elementor plugin was due to poor handling of input data, which should have been sanitized to prevent malicious code injection. With the release of patch 3.10.7, the developers have addressed this issue by implementing enhanced input sanitization and output escaping techniques to mitigate such risks in the future.

Advice for Users:

  • Immediate Action: Users are urged to update to version 3.10.7 immediately to address this vulnerability.
  • Check for Signs of Vulnerability: Review your site for unexpected content changes or unusual admin activity which may indicate exploitation.
  • Alternate Plugins: While the patch is available, users who are concerned may consider temporary alternatives that offer similar functionality.
  • Stay Updated: Always keep your WordPress plugins up-to-date to protect against known vulnerabilities and ensure the highest level of security.


The rapid identification and resolution of the vulnerability in Happy Addons for Elementor highlight the critical importance of maintaining active and updated security measures on all WordPress sites. It is essential for users to apply the patch provided in version 3.10.7 to safeguard their sites against potential exploits that could compromise user data and site integrity.


  • Wordfence Vulnerability Reports linked above.

Detailed Report: 

In today’s digital ecosystem, website security is a paramount concern, especially for small business owners utilizing platforms like WordPress to engage and serve their customers. The recent discovery of a vulnerability in the "Happy Addons for Elementor" plugin, known as CVE-2024-3890, highlights the critical need for vigilance and regular updates. This vulnerability, which allowed authenticated users to execute potentially harmful scripts via the Calendly widget, serves as a crucial reminder of the ongoing battle against cyber threats.

Risks and Potential Impacts:

This type of vulnerability exposes websites to several risks, including data breaches, unauthorized access to user sessions, and manipulation of website content. Such attacks not only compromise the security of the website but also damage trust with users, potentially leading to significant reputational harm and financial losses.

How to Remediate the Vulnerability:

  • Immediate Action: Update to the patched version 3.10.7 immediately via your WordPress dashboard.
  • Check for Signs of Vulnerability: Look for any unusual activity on your site, such as unexpected content changes or new user accounts.
  • Regular Security Audits: Conduct regular reviews of your site’s security health, ideally through automated security plugins and occasional manual checks.
  • Stay Updated: Ensure all your WordPress plugins, themes, and the core itself are regularly updated.

Overview of Previous Vulnerabilities:

The Happy Addons for Elementor plugin has experienced 20 reported vulnerabilities since April 26, 2021. This history underscores the importance of ongoing monitoring and updates as part of a robust cybersecurity strategy.


The prompt resolution of the vulnerability in Happy Addons for Elementor by releasing version 3.10.7 highlights the importance of timely software updates in mitigating security risks. For small business owners, actively managing a website might seem daunting, but the security of digital assets is non-negotiable. Leveraging tools that automate security updates and regularly reviewing security advisories can significantly reduce the risk of vulnerabilities, ensuring your business remains protected in the dynamic landscape of online threats.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Happy Addons for Elementor Vulnerability – Authenticated Stored Cross-Site Scripting via Calendly Widget – CVE-2024-3890 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment