Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs Happy Addons for Elementor allows Retrieve Embedded Sensitive Data.
This issue affects Happy Addons for Elementor: from n/a through 3.20.8.
AnalysisAI
Happy Addons for Elementor through version 3.20.8 exposes sensitive system information to unauthorized users via an information disclosure vulnerability, allowing remote unauthenticated attackers to retrieve embedded sensitive data without authentication or user interaction. The vulnerability affects all installations of the plugin up to and including version 3.20.8, with a CVSS score of 5.3 reflecting the confidentiality impact of exposed system data.
Technical ContextAI
Happy Addons for Elementor is a WordPress plugin that extends Elementor page builder functionality with additional widgets and features. The vulnerability is rooted in CWE-497 (Exposure of System Data to an Unauthorized Control Sphere), indicating that the plugin inadvertently exposes system or configuration data that should remain confidential to unauthorized users. The issue likely involves improper access controls or information exposure through API endpoints, REST endpoints, or publicly accessible files within the plugin, allowing attackers to retrieve embedded sensitive information without requiring authentication or specific privileges.
RemediationAI
Update Happy Addons for Elementor to a patched version released after 3.20.8 immediately. Administrators should navigate to the WordPress plugin dashboard, select the Happy Addons for Elementor plugin, and click Update to the latest available version. If a patched version is not yet available at the time of patching, implement immediate compensating controls: disable the Happy Addons for Elementor plugin entirely until a fix is released, or restrict access to the WordPress site to trusted IP addresses only via web server firewall rules (htaccess, nginx, or firewall) to prevent unauthorized reconnaissance. Monitor the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/happy-elementor-addons/vulnerability/wordpress-happy-addons-for-elementor-plugin-3-20-8-sensitive-data-exposure-vulnerability) and official weDevs plugin repository for security updates.
More in Happy Addons For Elementor
View allThe Happy Addons for Elementor WordPress plugin before 2.24.0, Happy Addons Pro for Elementor WordPress plugin before 1.
Cross-Site Request Forgery (CSRF) vulnerability in weDevs Happy Addons for Elementor plugin <= 3.8.2 versions. Rated hig
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wrapper link pa
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the side image URL
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Leevio Happy Addon
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Event
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Stack Gro
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘archive_title_
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘author_meta_ta
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML tags in widget
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_id’ parameter
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28332
GHSA-4425-vvcm-jqxw