Critical XSS Vulnerability in WordPress Plugin Threatens Over Two Million Websites

February 26, 2025

A grave security vulnerability, labelled as CVE-2025-24752, has been unveiled in the Essential Addons for Elementor WordPress plugin, potentially placing over two million websites in jeopardy. The flaw is a reflected Cross-Site Scripting (XSS) issue, which could give threat actors the ability to embed harmful scripts into the browsers of unsuspecting users. The Essential Addons for Elementor plugin is a widely utilized extension bundle for the Elementor page builder, and its extensive user base amplifies the potential impact of this vulnerability.

The vulnerability was found in the plugin's management of the 'popup-selector' query argument, a parameter that activates pop-up functionalities. Detailed analysis by Patchstack revealed that the vulnerability originated from inadequate validation and sanitization of this query argument. Before the release of the corrective patch, the plugin would simply substitute underscore symbols with spaces and then insert the argument's value directly into the page, without any additional checks. This lack of thorough examination created a window for attackers to inject malicious JavaScript code. The straightforward nature of the attack vector is what makes this vulnerability so perilous. By merely crafting a malicious URL, an attacker could potentially pilfer user credentials, reroute visitors to phishing sites, or even vandalize entire websites.

The vulnerability resided within the src/js/view/general.js file. Upon page load, the plugin would process the 'popup-selector' argument, leaving it exposed to manipulation. The gravity of the issue is demonstrated by its CVSS score of 7.1, which signifies a high-risk vulnerability. Fortunately, the developers of the plugin acted promptly, releasing version 6.0.15 to rectify the flaw. The patch introduces rigorous validation for the 'popup-selector' variable, limiting it to alphanumeric characters and a select group of safe symbols. This preventive measure effectively thwarts common XSS attack techniques.

It is strongly recommended that all users of Essential Addons for Elementor update to version 6.0.15 immediately. This update is vital to safeguard your website and its users from potential attacks.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.