CVE-2025-68999

HIGH

HappyMonster Happy Addons <3.20.4 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-68999. PoCs published by FOLKS-iwd.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-68999, an authenticated second-order SQL injection vulnerability in Happy Addons for Elementor <= 3.20.4. The exploit leverages a Contributor+ role to inject malicious SQL via custom field names, which are later executed during the Happy Clone action.

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in HappyMonster Happy Addons for Elementor happy-elementor-addons allows Blind SQL Injection.This issue affects Happy Addons for Elementor: from n/a through <= 3.20.4.

Exploits (1)

nomisec WORKING POC 2 stars
by FOLKS-iwd · poc
https://github.com/FOLKS-iwd/CVE-2025-68999-POC

This repository contains a functional exploit for CVE-2025-68999, an authenticated second-order SQL injection vulnerability in Happy Addons for Elementor <= 3.20.4. The exploit leverages a Contributor+ role to inject malicious SQL via custom field names, which are later executed during the Happy Clone action.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Happy Addons for Elementor <= 3.20.4
Auth required
Prerequisites: Contributor+ role in WordPress · Happy Addons for Elementor plugin active and vulnerable version installed
devstral-2 · analyzed Apr 21, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 8.5
EPSS 0.0025
EPSS Percentile 16.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (2)
HappyMonster/Happy Addons for Elementor < 3.20.4
HappyMonster/Happy Addons for Elementor < <= 3.20.4
Published Jan 22, 2026
Tracked Since Feb 18, 2026