Attack Vectors

CVE-2026-2917 is a Medium severity vulnerability (CVSS 5.4) affecting the Happy Addons for Elementor WordPress plugin (happy-elementor-addons) in versions up to and including 3.21.0. It can be exploited remotely over the network by an authenticated user with at least Contributor access.

The issue is triggered through the plugin’s ha_duplicate_thing admin action handler, where an attacker can provide a post_id parameter to duplicate content they should not be able to duplicate. In practical terms, if your site allows registrations, guest authors, partners, or any workflow where multiple people have logins, this expands the internal attack surface.

Security Weakness

This vulnerability is an Insecure Direct Object Reference (IDOR). The plugin’s can_clone() authorization check uses a broad capability check (current_user_can('edit_posts')) instead of validating permission at the specific object level (for example, confirming the user can edit the particular post referenced by post_id).

Additionally, the nonce is tied to the generic action name (ha_duplicate_thing) rather than being bound to the specific post being duplicated. Combined, these weaknesses make it more likely that an authenticated user with basic editorial privileges could duplicate posts they do not legitimately control.

Remediation: Update Happy Addons for Elementor to version 3.21.1 or a newer patched version.

Technical or Business Impacts

While the severity is rated Medium, the business impact can be meaningful depending on your publishing workflow. Unauthorized post duplication can lead to content integrity issues (unexpected copies of pages/posts), confusion in editorial operations, and potential brand and compliance risk if restricted or embargoed content is duplicated and later modified or published through normal processes.

Marketing and communications teams may also experience operational disruption: duplicated landing pages, altered variants entering campaigns, analytics noise (multiple similar pages impacting reporting), and increased time spent investigating “mystery” content changes.

For organizations with regulated content review (legal disclaimers, financial messaging, healthcare statements), uncontrolled duplication can complicate approval trails and create audit and governance concerns—even if the immediate technical impact is “only” low confidentiality/integrity impact as reflected in the CVSS vector.

Similar Attacks

IDOR vulnerabilities have repeatedly been used to access or manipulate data by referencing objects the user should not control. Examples include:

Panera Bread leaked millions of customer records (IDOR-style access control issue) – KrebsOnSecurity
Overview of IDOR and real-world risk – Imperva
IDOR/access control testing guidance and examples – PortSwigger Web Security Academy