Happy Addons for Elementor Vulnerability – Multiple XSS Vulnerabilities –  CVE-2024-2787, CVE-2024-2789, CVE-2024-1498, CVE-2024-1387 | WordPress Plugin Vulnerability Report

Plugin Name: Happy Addons for Elementor

Key Information

  • Software Type: Plugin
  • Software Slug: happy-elementor-addons
  • Software Status: Active
  • Software Author: thehappymonster
  • Software Downloads: 6,284,286
  • Active Installs: 400,000
  • Last Updated: April 4, 2024
  • Patched Versions: 3.10.5, 3.10.4
  • Affected Versions: <= 3.10.3

Vulnerability Details

Vulnerability 1

  • Name: Happy Addons for Elementor <= 3.10.4 - Authenticated Stored Cross-Site Scripting via Page Title HTML Tag
  • CVE: CVE-2024-2787
  • CVSS Score: 6.4
  • Publicly Published: April 4, 2024
  • Researcher: João Pedro Soares de Alcântara - Kinorth
  • Description: Vulnerability allows authenticated attackers (contributor-level and above) to inject arbitrary web scripts through the 'st_tag_cloud' shortcode due to inadequate input sanitization.

Vulnerability 2

  • Name: Happy Addons for Elementor <= 3.10.4
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Calendy
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-2789
  • CVSS Score: 6.4
  • Publicly Published: April 4, 2025
  • Researcher: ST
  • Description: Vulnerability via the plugin's Calendy widget allows for script injections, exploiting insufficient input sanitization.

Vulnerability 3

  • Name: Happy Addons for Elementor <= 3.10.3
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Photo Stack Widget
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-1498
  • CVSS Score: 6.4
  • Publicly Published: April 4, 2024
  • Researcher: RandomRoot
  • Description: Similar XSS vulnerability via the plugin's Photo Stack Widget due to inadequate input sanitization and output escaping.

Vulnerability 4

  • Name: Happy Addons for Elementor <= 3.10.4
  • Title: Incorrect Authorization to Information Exposure
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • CVE: CVE-2024-1387
  • CVSS Score: 4.3
  • Publicly Published: April 4, 2024
  • Researcher: Lucio Sà
  • Description: Incorrect authorization leading to potential information exposure through the duplicate_thing() function.

Summary

The Happy Addons for Elementor plugin faces several security vulnerabilities, notably Stored Cross-Site Scripting (XSS) issues in versions up to 3.10.4, affecting various widgets and functionalities due to insufficient input sanitization and output escaping. These vulnerabilities could allow attackers to execute arbitrary web scripts, compromising site security.

Detailed Overview

Research conducted by multiple security experts has unveiled these vulnerabilities, highlighting the potential risks associated with the plugin's functionalities. The XSS vulnerabilities present a considerable risk, potentially leading to unauthorized data access and manipulation. The developers have addressed these issues in the latest patched versions.

Advice for Users

  • Immediate Action: Users are advised to update to the latest patched version (3.10.5 or 3.10.4) immediately.
  • Check for Signs of Vulnerability: Monitor your site for unusual activities that may indicate exploitation.
  • Alternate Plugins: Consider evaluating other Elementor addons with robust security features.
  • Stay Updated: Keep all plugins and themes up-to-date to mitigate vulnerability risks.

Conclusion

The rapid patching of these vulnerabilities by the Happy Addons for Elementor development team underscores the critical importance of timely updates in the digital realm. For WordPress site owners, especially those who may not have the time to constantly monitor security updates, these incidents serve as a vital reminder of the need to maintain updated and secure plugins. Regular vigilance and proactive security measures are paramount in protecting online assets in an ever-evolving cyber threat landscape.

References

Detailed Report: 

In today's digital landscape, the security of your WordPress website is paramount, especially for small business owners who rely on their online presence for their livelihood. The recent discovery of multiple vulnerabilities in the popular WordPress plugin, Happy Addons for Elementor, serves as a stark reminder of the ever-present cyber threats lurking in the digital world. With over 6 million downloads and 400,000 active installations, the impact of these vulnerabilities is significant, potentially affecting countless WordPress sites.

Vulnerabilities at a Glance

The plugin was found to have multiple vulnerabilities, notably Stored Cross-Site Scripting (XSS) issues, across various versions up to 3.10.3. These vulnerabilities were identified in different functionalities and widgets of the plugin, including the Page Title HTML Tag, Calendy widget, Photo Stack Widget, and due to incorrect authorization in the duplicate_thing() function. These issues primarily arose from insufficient input sanitization and output escaping, allowing authenticated attackers with contributor-level access and above to inject harmful scripts.

Risks and Potential Impacts

The vulnerabilities within Happy Addons for Elementor pose significant risks to website integrity and user data security. By exploiting these vulnerabilities, attackers could potentially execute arbitrary web scripts, leading to unauthorized data access, manipulation of site content, and compromising user trust.

Remediation and User Advice

The plugin developers have promptly addressed these vulnerabilities in patched versions 3.10.5 and 3.10.4. Users are strongly advised to:

  • Update the plugin to the latest patched version immediately.
  • Monitor site activity for any signs of unauthorized access or script injections.
  • Consider alternative Elementor addons with a strong focus on security.
  • Stay Updated with all plugin and theme updates to mitigate vulnerability risks.

The Importance of Vigilance

For small business owners managing WordPress sites, the Happy Addons for Elementor vulnerabilities underline the crucial need for vigilance in the digital arena. In an age where cyber threats continually evolve, staying informed and proactive in updating and securing your digital assets is non-negotiable. It not only safeguards your business but also protects the trust and security of your users.

Conclusion

The swift resolution of these vulnerabilities by the Happy Addons for Elementor development team reinforces the critical nature of timely software updates. Regular vigilance, coupled with informed security practices, remains key to navigating the complex cybersecurity landscape and ensuring the sustained safety and reliability of your WordPress site.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Happy Addons for Elementor Vulnerability – Multiple XSS Vulnerabilities – CVE-2024-2787, CVE-2024-2789, CVE-2024-1498, CVE-2024-1387 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment