The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the ha_duplicate_thing admin action handler. This is due to the can_clone() method only checking current_user_can('edit_posts') (a general capability) without performing object-level authorization such as current_user_can('edit_post', $post_id), and the nonce being tied to the generic action name ha_duplicate_thing rather than to a specific post ID. This makes it possible for authenticated attackers, with Contributor-level access and above, to clone any published post, page, or custom post type by obtaining a valid clone nonce from their own posts and changing the post_id parameter to target other users' content. The clone operation copies the full post content, all post metadata (including potentially sensitive widget configurations and API tokens), and taxonomies into a new draft owned by the attacker.