Skip to main content

Happy Addons for Elementor EUVDEUVD-2026-28332

| CVE-2026-25468 MEDIUM
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-05-07 Patchstack GHSA-4425-vvcm-jqxw
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 07, 2026 - 09:01 vuln.today
CVE Published
May 07, 2026 - 07:37 nvd
MEDIUM 5.3

DescriptionCVE.org

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs Happy Addons for Elementor allows Retrieve Embedded Sensitive Data.

This issue affects Happy Addons for Elementor: from n/a through 3.20.8.

AnalysisAI

Happy Addons for Elementor through version 3.20.8 exposes sensitive system information to unauthorized users via an information disclosure vulnerability, allowing remote unauthenticated attackers to retrieve embedded sensitive data without authentication or user interaction. The vulnerability affects all installations of the plugin up to and including version 3.20.8, with a CVSS score of 5.3 reflecting the confidentiality impact of exposed system data.

Technical ContextAI

Happy Addons for Elementor is a WordPress plugin that extends Elementor page builder functionality with additional widgets and features. The vulnerability is rooted in CWE-497 (Exposure of System Data to an Unauthorized Control Sphere), indicating that the plugin inadvertently exposes system or configuration data that should remain confidential to unauthorized users. The issue likely involves improper access controls or information exposure through API endpoints, REST endpoints, or publicly accessible files within the plugin, allowing attackers to retrieve embedded sensitive information without requiring authentication or specific privileges.

RemediationAI

Update Happy Addons for Elementor to a patched version released after 3.20.8 immediately. Administrators should navigate to the WordPress plugin dashboard, select the Happy Addons for Elementor plugin, and click Update to the latest available version. If a patched version is not yet available at the time of patching, implement immediate compensating controls: disable the Happy Addons for Elementor plugin entirely until a fix is released, or restrict access to the WordPress site to trusted IP addresses only via web server firewall rules (htaccess, nginx, or firewall) to prevent unauthorized reconnaissance. Monitor the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/happy-elementor-addons/vulnerability/wordpress-happy-addons-for-elementor-plugin-3-20-8-sensitive-data-exposure-vulnerability) and official weDevs plugin repository for security updates.

CVE-2021-24292 MEDIUM POC
5.4 May 17

The Happy Addons for Elementor WordPress plugin before 2.24.0, Happy Addons Pro for Elementor WordPress plugin before 1.

CVE-2023-28989 HIGH
8.8 Jul 10

Cross-Site Request Forgery (CSRF) vulnerability in weDevs Happy Addons for Elementor plugin <= 3.8.2 versions. Rated hig

CVE-2024-0438 MEDIUM
6.4 Feb 29

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wrapper link pa

CVE-2024-0838 MEDIUM
6.4 Feb 29

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the side image URL

CVE-2024-29108 MEDIUM
6.5 Mar 19

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Leevio Happy Addon

CVE-2024-4391 MEDIUM
6.4 May 16

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Event

CVE-2024-4478 MEDIUM
6.4 May 16

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Stack Gro

CVE-2024-1366 MEDIUM
6.4 Mar 07

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘archive_title_

CVE-2024-1377 MEDIUM
6.4 Mar 07

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘author_meta_ta

CVE-2024-3724 MEDIUM
6.4 May 02

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image

CVE-2024-3891 MEDIUM
6.4 May 02

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML tags in widget

CVE-2024-4865 MEDIUM
6.4 May 18

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_id’ parameter

Share

EUVD-2026-28332 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy