CVE-2026-1210 in Happy Addons for Elementor Plugininfo

Summary

by MITRE • 02/03/2026

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_elementor_data' meta field in all versions up to, and including, 3.20.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 02/04/2026

The vulnerability identified as CVE-2026-1210 affects the Happy Addons for Elementor plugin, a popular WordPress plugin that extends the functionality of the Elementor page builder. This plugin enables users to create advanced website layouts and designs through a visual editor interface. The issue stems from inadequate input validation and output escaping mechanisms within the plugin's handling of the '_elementor_data' meta field, which is used to store Elementor page builder data. The vulnerability specifically impacts all versions up to and including 3.20.7, making it a significant concern for WordPress sites that rely on this plugin for their website construction and design capabilities.

The technical flaw manifests as a stored cross-site scripting vulnerability that allows authenticated attackers with Contributor-level privileges or higher to inject malicious JavaScript code into the WordPress database through the '_elementor_data' meta field. When legitimate users subsequently access pages containing this injected content, the malicious scripts execute in their browsers, potentially leading to various security consequences including session hijacking, data exfiltration, or redirection to malicious websites. This vulnerability operates at the application layer and represents a classic stored XSS attack vector where the malicious payload is permanently stored on the server and executed each time the affected page is loaded.

The operational impact of this vulnerability is substantial for WordPress administrators and content creators who use the Happy Addons for Elementor plugin. Attackers with Contributor-level access can exploit this weakness to compromise the security of entire websites, as they can inject scripts that persistently affect all users who view the compromised pages. This threat extends beyond simple script execution to potentially enable more sophisticated attacks such as credential theft, malware distribution, or the establishment of backdoors within the compromised WordPress environment. The vulnerability affects not only individual user sessions but also the overall integrity and security posture of the WordPress installation, particularly when multiple contributors or editors have access to the system.

Organizations and WordPress administrators should immediately update their installations to the latest version of the Happy Addons for Elementor plugin to remediate this vulnerability. The recommended mitigation strategy involves implementing proper input sanitization and output escaping mechanisms, specifically ensuring that all user-provided data is properly validated and escaped before being stored or displayed. Additionally, administrators should consider implementing role-based access controls to limit the privileges of users with Contributor-level access, and should monitor their WordPress installations for any suspicious activity or unauthorized modifications. This vulnerability aligns with CWE-79, which addresses cross-site scripting flaws, and represents a typical ATT&CK technique where adversaries leverage application vulnerabilities to establish persistent access to target systems through the execution of malicious scripts within the context of legitimate user sessions.

Disclosure

02/03/2026

Moderation

accepted

CPE

ready

EPSS

0.00310

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!