A high-severity security flaw has been discovered in the widely used WordPress plugin, Essential Addons for Elementor, putting over two million websites at risk. The vulnerability, tracked as CVE-2025-24752, is a reflected Cross-Site Scripting (XSS) issue that could allow malicious actors to inject harmful scripts into unsuspecting users’ browsers.
Essential Addons for Elementor, a popular extension bundle for the Elementor page builder, has a massive user base, making this vulnerability particularly concerning. The flaw resided in the plugin’s handling of the “popup-selector” query argument, a parameter used to trigger pop-up functionalities.
According to a detailed analysis by Patchstack, the vulnerability stemmed from insufficient validation and sanitization of this query argument. Prior to the patch, the plugin would simply replace underscore symbols with spaces and then embed the argument’s value directly into the page, without any further checks. This lack of scrutiny created an opening for attackers to inject malicious JavaScript code.
The simplicity of the attack vector is what makes this so dangerous. By simply crafting a malicious URL, an attacker could potentially steal user credentials, redirect visitors to phishing sites, or even deface entire websites.
The vulnerability was located within the src/js/view/general.js file. On page load, the plugin would process the “popup-selector” argument, leaving it vulnerable to manipulation.
The severity of the issue is reflected in its CVSS score of 7.1, indicating a high-risk vulnerability. Fortunately, the plugin’s developers responded swiftly, releasing version 6.0.15 to address the flaw.
The patch introduces stringent validation for the “popup-selector” variable, restricting it to alphanumeric characters and a select group of safe symbols. This proactive measure effectively blocks common XSS attack methods.
We strongly urge all users of Essential Addons for Elementor to update to version 6.0.15 immediately. This update is crucial to protect your website and its users from potential attacks.
