- Is your live TV streaming service still worth it? I review the options for every budget
- What to expect at Amazon's event this week: Alexa 2.0, new Echos, and Fire TV upgrades
- The best iPad stylus of 2025: Expert tested
- Need a Windows 10 alternative or still miss XP? This Linux distro is for you - and it's free
- Texting while driving? AI traffic cameras are watching you in these 5 states
Essential Addons for Elementor XSS Vulnerability Discovered
A critical security vulnerability in Essential Addons for Elementor has been identified, potentially impacting over two million WordPress websites.
The flaw, a reflected cross-site scripting (XSS) vulnerability, was discovered due to insufficient validation of the popup-selector query argument, allowing malicious scripts to be executed.
The issue, tracked with CVE-2025-24752, was first uncovered by Patchstack Alliance researcher xssium on September 30, 2024. After notifying the plugin vendor, a fix was implemented in version 6.0.15.
Understanding the Vulnerability
Essential Addons for Elementor is the most popular extension for the Elementor page builder, counting over 2 million active installations.
It enhances Elementor’s functionality by providing additional creative elements that help users design more dynamic and visually appealing web pages.
The flaw originated from the src/js/view/general.js file, where the plugin failed to properly sanitize the popup-selector argument.
When triggered, this could allow attackers to execute malicious scripts by embedding harmful content into the page.
Read more on WordPress plugin security: WordPress ASE Plugin Vulnerability Threatens Site Security
How the Patch Fixes the Issue
The WPDeveloper resolved the vulnerability by enforcing stricter validation, permitting only alphanumeric characters and a limited set of symbols in the popup-selector argument. This prevents common XSS attack methods from exploiting the flaw.
WordPress developers are reminded of the importance of properly validating and sanitizing user-provided data.
“When working with user-provided data, developers need to ensure this data is properly validated and sanitized against potential processes that could lead to XSS,” Patchstack warned.
“Additionally, when rendering user-provided data back onto the website, it is important to make sure the content is properly escaped to help ensure potential XSS vulnerability.”
Failure to do so can expose websites to significant security risks, including unauthorized access and data breaches.
