A critical reflected cross-site scripting (XSS) vulnerability has been discovered in the Essential Addons for Elementor plugin, potentially affecting over two million WordPress websites. The security flaw, tracked as CVE-2025-24752, was reported by security researcher "xssium" through the Patchstack Alliance.
According to the security advisory, the vulnerability stems from improper sanitization of the 'popup-selector' query parameter in the plugin's src/js/view/general.js file. The plugin would replace underscores with spaces but failed to sanitize other dangerous characters, allowing attackers to inject malicious JavaScript code that would execute in victims' browsers.
This high-severity vulnerability, with a CVSS score of 7.1, could lead to serious consequences if exploited, including session hijacking, phishing redirects, or unauthorized administrative access to affected sites.
Essential Addons for Elementor is the most popular extension bundle for the Elementor page builder, providing WordPress site owners with over 100+ design elements like advanced data tables, WooCommerce integrations, and dynamic galleries. Its widespread adoption made it an attractive target for potential attackers.
The plugin's developer, WPDeveloper, addressed the vulnerability by releasing version 6.0.15. However, the Proof-of-Concept code for the flaw has also been released on GitHub.
WordPress site administrators using Essential Addons for Elementor are strongly advised to update to version 6.0.15 or later immediately.