Login Sign Up

CVE-2024-48045

4.3 MEDIUM
Authentication Bypass

📋 TL;DR

This CVE describes a Missing Authorization vulnerability in the Happy Addons for Elementor WordPress plugin. It allows attackers to exploit incorrectly configured access control security levels, potentially accessing functionality they shouldn't have permission to use. All WordPress sites using affected versions of this plugin are vulnerable.

💻 Affected Systems

Products:
  • Happy Addons for Elementor WordPress plugin
Versions: n/a through 3.12.3
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all WordPress installations using vulnerable plugin versions regardless of configuration.

📦 What is this software?

Happy Addons For Elementor by Leevio

View all CVEs affecting Happy Addons For Elementor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify plugin settings, inject malicious content, or access administrative functions leading to site compromise.

🟠

Likely Case

Unauthorized users accessing restricted plugin features or settings, potentially modifying site content or configurations.

🟢

If Mitigated

With proper access controls and authentication checks, impact is limited to attempted unauthorized access attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires understanding of plugin endpoints but is technically simple once identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.12.4 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/happy-elementor-addons/wordpress-happy-elementor-addons-plugin-3-12-3-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Happy Addons for Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and upload manually.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate Happy Addons for Elementor until patched

Restrict plugin access

all

Use WordPress security plugins to restrict access to plugin endpoints

🧯 If You Can't Patch

  • Implement strict access controls and authentication checks at web server level
  • Monitor for unauthorized access attempts to plugin endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for Happy Addons for Elementor version

Check Version:

wp plugin list --name='happy-elementor-addons' --field=version

Verify Fix Applied:

Verify plugin version is 3.12.4 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to /wp-content/plugins/happy-elementor-addons/ endpoints
  • 403 or 401 errors for plugin-specific URLs

Network Indicators:

  • Unusual POST/GET requests to plugin endpoints from unauthorized IPs

SIEM Query:

source="wordpress.log" AND ("happy-elementor-addons" OR "happy addons") AND (status=403 OR status=401)

📊 Metadata

CVE ID: CVE-2024-48045
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-862
Published: November 1, 2024
Last Updated: November 13, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-48045, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)