A critical security issue has been disclosed in Essential Addons for Elementor, one of the most widely installed extensions for the Elementor page builder. The vulnerability could affect more than two million WordPress sites running the plugin, depending on version and exposure. The flaw is a reflected cross-site scripting (XSS) issue caused by insufficient validation of a query parameter, which can allow malicious scripts to execute in a victim’s browser.
Tracked as CVE-2025-24752, the vulnerability was identified after researchers found that the plugin did not properly validate the popup-selector query argument. Patchstack Alliance researcher xssium reported the issue on September 30, 2024, and the vendor later released a fix in version 6.0.15. While reflected XSS does not automatically mean an attacker can take over a website, it can still create serious real-world risk, especially when combined with social engineering, admin-targeting, or other weaknesses in a site’s security posture.
Essential Addons for Elementor is popular because it adds extra widgets and design elements that make it easier to build interactive pages without custom development. That wide reach is exactly why vulnerabilities in high-install plugins matter, even when the bug “only” affects browser-side behavior. At scale, attackers often look for these opportunities because they can be automated and used in broader campaigns.
How the reflected XSS works and why it matters
Reflected XSS happens when a website takes user-controlled input, such as a URL parameter, and reflects it back into a page without properly sanitizing and escaping it. In this case, the issue was tied to the popup-selector argument, which the plugin handled in a way that allowed crafted content to be interpreted as script in the browser.
The vulnerability originated in the plugin’s JavaScript logic, specifically referenced as the src/js/view/general.js file. Because the argument was not properly sanitized, an attacker could craft a malicious URL containing injected script and lure a victim into clicking it. If the victim loads the page, the script can run in their browser within the context of the affected site.
That context is what makes XSS dangerous. Malicious scripts can attempt to steal session tokens, capture keystrokes, perform actions on behalf of a logged-in user, or manipulate page content. The impact depends heavily on who clicks the link. If the victim is an administrator, the consequences can escalate quickly, including unauthorized changes to site settings, plugin installs through admin actions, or the creation of new privileged accounts.
Even when strong security controls exist, reflected XSS remains a useful tool for attackers because it can bypass some perimeter defenses and exploit trust. If a link looks like it belongs to a legitimate domain, users may click without hesitation, especially when the lure matches their workflow.
Fix details and what WordPress site owners should do now
The vendor addressed the flaw in Essential Addons for Elementor version 6.0.15 by implementing stricter validation for the popup-selector argument. The fix allows only alphanumeric characters and a limited set of safe symbols, blocking common injection patterns that XSS payloads rely on. This is a practical example of a broader rule: validate input strictly, then escape output consistently before rendering any user-controlled data back onto a page.
If your site uses Essential Addons for Elementor, the safest move is to update to version 6.0.15 or later immediately. After updating, clear any caching layers so the patched assets are served to visitors. It’s also wise to review logs for unusual requests containing suspicious query strings, and to ensure admin accounts use strong passwords and multi-factor authentication.
Finally, treat plugin hygiene as an ongoing routine. Keep extensions updated, remove unused plugins, limit admin access, and consider a web application firewall to reduce the chance that similar issues turn into real compromise.
