Vulnerability detected in the popular plugin Happy Addons for Elementor: analysis of the situation

The Happy Addons for Elementor plugin extends the possibilities of building pages on Elementor with dozens of free widgets and features, such as image grids, user feedback and feedback, and custom navigation menus. The paid version of the plugin provides even more design options, making it easy to create functional and attractive WordPress websites.

Stored Cross-Site Scripting (Stored XSS) is a type of vulnerability that typically occurs when a theme or plugin does not properly filter user input (called sanitizers), allowing malicious scripts to be loaded into the database and stored on the server itself.

When a user visits a website, the script is loaded into the browser and performs actions such as stealing browser cookies or redirecting the user to a malicious website. 🚀

• 📌 The Stored XSS vulnerability that affects the Happy Addons for Elementor plugin requires the hacker to obtain "Contributor" privileges, which makes exploiting this vulnerability more difficult.

WordPress security company Wordfence rated this vulnerability as 6.4 on a scale of 1 to 10, which is a medium threat level. 🚀

Wordfence states: "The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the before_label parameter in the Image Comparison widget in all versions up to and including 3.12.5 due to insufficient sanitization of input and output. This allows authenticated attackers with Contributor and higher access to inject arbitrary web scripts into pages that will be executed every time a user opens an infected page."