A critical flaw in the Essential Addons for Elementor plugin, affecting over 2 million WordPress sites, exposes them to script injection attacks through malicious URL parameters.
WordPress Plugin Flaw
The flaw, CVE-2025-24752, with a CVSS score of 7.1 (High), allowed attackers to carry out reflected cross-site scripting (XSS) attacks by exploiting weak input sanitization in the plugin’s password reset feature, according to Patchstack.
The vulnerability was caused by improper handling of the popup-selector query parameter in the plugin’s JavaScript code.
Attackers could create URLs with malicious scripts in this parameter, which would run when users clicked the link.
This reflected XSS attack could lead to session hijacking, phishing redirects, or malware distribution by exploiting the victim’s browser trust in the website.
The vulnerable code was located in the src/js/view/general.js file.
$(document).ready(function(){
let resetPasswordParams = new URLSearchParams(location.search);
if ( resetPasswordParams.has('popup-selector') && (
resetPasswordParams.has('eael-lostpassword')
|| resetPasswordParams.has('eael-resetpassword')
)) {
let popupSelector = resetPasswordParams.get('popup-selector');
if(popupSelector.length){
popupSelector = popupSelector.replace(/_/g," ");
setTimeout(function(){
jQuery(popupSelector).trigger('click');
}, 300);
}
}});
The popup-selector value was taken directly from the URL and injected into the page without validation or escaping, allowing attackers to insert arbitrary JavaScript.
For instance, a URL like https://victim-site.com/?popup-selector=<script>malicious-code</script> would trigger the malicious payload.
Patch and Mitigation
WPDeveloper, the plugin’s developers, released version 6.0.15 to fix the flaw by adding strict input validation.
The updated code limits popup-selector values to alphanumeric characters and specific safe symbols, effectively neutralizing XSS vectors.
// Patched validation logic
popupSelector = popupSelector.replace(/[^a-zA-Z0-9-_. ]/g, “”);
WordPress administrators are urged to update to version 6.0.15 or higher immediately. If unable to patch, disabling the plugin until an update is applied is recommended.
This incident highlights ongoing risks in the WordPress ecosystem, where popular plugins are prime targets. Essential Addons, one of Elementor’s most installed extensions, amplifies the impact of this flaw.
Sucuri researcher Ben Martin emphasizes, “XSS flaws in plugins with millions of users can lead to widespread compromises. Proper input sanitization is crucial for plugin developers.”
WordPress users should enable auto-updates and regularly conduct security audits. As of February 2025, no major exploits have been reported, but delayed patching could lead to severe breaches.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment