Skip to main content

HappyMonster Happy Addons CVE-2025-63077

MEDIUM
Missing Authorization (CWE-862)
2025-12-09 audit@patchstack.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 4.3

DescriptionCVE.org

Missing Authorization vulnerability in HappyMonster Happy Addons for Elementor happy-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Happy Addons for Elementor: from n/a through <= 3.20.3.

AnalysisAI

Happy Addons for Elementor through version 3.20.3 allows authenticated users to access functionality they should not have permission to use due to missing authorization checks on API endpoints or admin functions. The vulnerability requires valid user authentication and results in information disclosure, with a CVSS score of 4.3 and an extremely low EPSS exploitation probability of 0.04%, suggesting minimal real-world attack incentive despite the access control flaw.

Technical ContextAI

This is a missing authorization vulnerability (CWE-862: Improper Access Control) affecting the Happy Addons for Elementor WordPress plugin, which is a page builder extension for Elementor. The root cause is the failure to properly validate user permissions before allowing access to protected functions or API endpoints. WordPress plugins typically authenticate users via nonce validation and capability checks (e.g., 'manage_options', 'edit_posts'), but this plugin apparently skips or misconfigures these checks on one or more sensitive operations. An authenticated user with basic credentials can therefore perform actions or view data reserved for higher-privilege roles (administrators or editors with specific capabilities). The vulnerability is classified as improper access control rather than authentication bypass, meaning the authentication layer itself is intact but authorization controls are deficient.

Affected ProductsAI

Happy Addons for Elementor versions from an unspecified baseline through 3.20.3 are affected. The plugin is distributed via the WordPress plugin repository and is identified by the slug 'happy-elementor-addons'. Administrators running version 3.20.3 or earlier should apply updates immediately upon availability. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/happy-elementor-addons/vulnerability/wordpress-happy-addons-for-elementor-plugin-3-20-2-broken-access-control-vulnerability for complete affected version details and vendor communication.

RemediationAI

Update Happy Addons for Elementor to the patched version released by the vendor in response to this CVE. Exact patched version number should be confirmed via the official Patchstack advisory or the plugin's release notes. In the interim, site administrators should audit user roles and capabilities in WordPress to ensure that only trusted users have the contributor, author, or editor roles that could exploit this vulnerability. Consider restricting plugin administration to a minimal set of administrators. Verify that the site is running the latest stable version of WordPress and Elementor itself, as those core systems provide additional access control layers.

Share

CVE-2025-63077 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy