- I recommend the Pixel 9 to most people looking to upgrade - especially while it's $250 off
- Google's viral research assistant just got its own app - here's how it can help you
- Sony will give you a free 55-inch 4K TV right now - but this is the last day to qualify
- I've used virtually every Linux distro, but this one has a fresh perspective
- The 7 gadgets I never travel without (and why they make such a big difference)
Essential Addons for Elementor XSS Vulnerability Discovered
A critical security vulnerability in Essential Addons for Elementor has been identified, potentially impacting over two million WordPress websites.
The flaw, a reflected cross-site scripting (XSS) vulnerability, was discovered due to insufficient validation of the popup-selector query argument, allowing malicious scripts to be executed.
The issue, tracked with CVE-2025-24752, was first uncovered by Patchstack Alliance researcher xssium on September 30, 2024. After notifying the plugin vendor, a fix was implemented in version 6.0.15.
Understanding the Vulnerability
Essential Addons for Elementor is the most popular extension for the Elementor page builder, counting over 2 million active installations.
It enhances Elementor’s functionality by providing additional creative elements that help users design more dynamic and visually appealing web pages.
The flaw originated from the src/js/view/general.js file, where the plugin failed to properly sanitize the popup-selector argument.
When triggered, this could allow attackers to execute malicious scripts by embedding harmful content into the page.
Read more on WordPress plugin security: WordPress ASE Plugin Vulnerability Threatens Site Security
How the Patch Fixes the Issue
The WPDeveloper resolved the vulnerability by enforcing stricter validation, permitting only alphanumeric characters and a limited set of symbols in the popup-selector argument. This prevents common XSS attack methods from exploiting the flaw.
WordPress developers are reminded of the importance of properly validating and sanitizing user-provided data.
“When working with user-provided data, developers need to ensure this data is properly validated and sanitized against potential processes that could lead to XSS,” Patchstack warned.
“Additionally, when rendering user-provided data back onto the website, it is important to make sure the content is properly escaped to help ensure potential XSS vulnerability.”
Failure to do so can expose websites to significant security risks, including unauthorized access and data breaches.
