A critical reflected cross-site scripting (XSS) security vulnerability (tracked as CVE-2025-24752) in the popular WordPress plugin Essential Addons for Elementor, which has over two million active installations, enables hackers to execute malicious code on compromised websites. The flaw carries a CVSS score 7.1, indicating a high-severity security threat.
The developers released a patch version 6.0.15, introducing additional validation mechanisms to restrict the ‘popup-selector’ parameter to alphanumeric characters and a limited set of safe symbols, effectively mitigating the risk of exploitation.
Experts have advised users to update their plugins immediately to avoid potential security breaches. If left unpatched, the flaw could allow hackers to perform a series of cyber-attacks, including phishing, session hijacking, or malicious redirects.
The vulnerability was caused by insufficient validation and sanitisation of the ‘popup-selector’ query argument in the plugin’s ‘src/js/view/general.js’ file. According to researchers, this flaw allowed attackers to inject and execute arbitrary scripts when the argument was reflected to users without proper filtering.
One page load, the function responsible for handling the ‘popup-selector’ parameter replaced underscores with spaces and embedded the resulting value into the page without adequate sanitisation. This allowed attackers to exploit the weakness and execute scripts by crafting malicious URLs.
The developers released a patch version 6.0.15, introducing additional validation mechanisms to restrict the ‘popup-selector’ parameter to alphanumeric characters and a limited set of safe symbols, effectively mitigating the risk of exploitation.
Recently, a security flaw in the ASE WordPress plugin exposed more than 100,000 websites to a privilege escalation flaw. Last month, the RealHome theme and its associated Easy Real Estate plugins were vulnerable to two critical vulnerabilities.
Last year, similar vulnerabilities were discovered in the JS Help Desk, WP Server Health, Ad Invalid Click Protector, PowerPress Podcasting plunging by Blubrry, SEO Optimised Images, and others.
In the News: Hacker drains $49.5M from Infini stablecoin bank
