The popular WordPress plugin Happy Addons for Elementor—used by over 400,000 websites—has recently patched a security vulnerability that previously left many sites at risk. This flaw, known as a stored cross-site scripting (XSS) vulnerability, allowed attackers with minimal permissions to inject harmful scripts onto a site, potentially compromising site visitors and owners.
Background on Happy Addons for Elementor
Happy Addons is a plugin that enhances the Elementor page builder with a variety of additional widgets and features, enabling users to create visually appealing and functional websites. It includes free tools such as image grids, user reviews, and navigation customization, with a premium version offering even more powerful options for web designers.
Understanding Stored Cross-Site Scripting (Stored XSS)
Stored XSS vulnerabilities occur when user inputs in a website or plugin aren’t properly filtered, allowing attackers to store malicious code directly on a server. Once a visitor loads a page with the infected code, the script runs within their browser, potentially stealing browser cookies or redirecting users to malicious websites. This stored XSS threat particularly impacted the Happy Addons plugin’s Image Comparison widget, due to insufficient filtering (or “sanitization”) of user inputs.
Details of the Vulnerability
This vulnerability specifically required attackers to have Contributor-level access or higher, making it a bit harder to exploit than vulnerabilities that need no authentication. Wordfence, a leading WordPress security company, assessed the risk level of this vulnerability at 6.4 out of 10—a “medium” threat.
Wordfence Statement
“The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘before_label’ parameter in the Image Comparison widget in all versions up to, and including, 3.12.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts on pages that will execute whenever a user accesses an injected page.”
What You Should Do Next
If your site uses Happy Addons for Elementor, updating to version 3.12.6 (or higher) will eliminate the vulnerability. This latest version includes a security patch that fixes the input filtering issue and blocks the XSS risk. To ensure your site’s security, check your plugins list and update Happy Addons if you’re using version 3.12.5 or below.
For more technical details, consult the Wordfence advisory