CVE-2025-24752: Critical WordPress Plugin Flaw Poses Risk of XSS Attacks for Millions
CVE-2025-24752: Critical WordPress Plugin Flaw Poses Risk of XSS Attacks for Millions
2/26/20251 min read
A severe security vulnerability has been found in the widely-used WordPress plugin, Essential Addons for Elementor, exposing over two million websites to potential risk. The issue, identified as CVE-2025-24752, is a reflected Cross-Site Scripting (XSS) vulnerability that could allow attackers to inject malicious scripts into the browsers of unsuspecting users.
Essential Addons for Elementor, a popular add-on bundle for the Elementor page builder, has a large user base, making this flaw particularly alarming. The vulnerability was located in the plugin’s handling of the “popup-selector” query argument, which is used to trigger pop-up functions.
A thorough analysis by Patchstack revealed that the issue arose due to inadequate validation and sanitization of this query argument. Before the patch was applied, the plugin would replace underscores with spaces and directly insert the argument’s value into the page without performing additional checks, leaving a window for attackers to inject harmful JavaScript.
The simplicity of this attack vector makes it particularly hazardous. By crafting a malicious URL, an attacker could easily steal user credentials, redirect visitors to phishing sites, or even deface entire websites.
The vulnerability was found in the src/js/view/general.js file. When the page loaded, the plugin would process the “popup-selector” argument, leaving it open to manipulation.
The seriousness of the flaw is underscored by its CVSS score of 7.1, signifying a high-risk vulnerability. Fortunately, the developers responded promptly, releasing version 6.0.15 to fix the issue.
The update implements stricter validation for the “popup-selector” variable, allowing only alphanumeric characters and a limited set of safe symbols. This safeguard effectively prevents typical XSS attack techniques.
We highly recommend that all users of Essential Addons for Elementor upgrade to version 6.0.15 as soon as possible. This update is essential for protecting your website and its users from potential security threats.
To learn more about our services and how we can help protect your systems, visit https://www.vaptern.com/services or contact us directly.