A critical security vulnerability has been discovered in the Essential Addons for Elementor plugin, which is installed on over 2 million WordPress websites. The flaw, identified as CVE-2025-24752, enables attackers to exploit insufficient input sanitization in the plugin’s password reset functionality, allowing reflected cross-site scripting (XSS) attacks. This vulnerability is caused by improper handling of the popup-selector query parameter in the plugin’s JavaScript code, which can be manipulated by attackers to inject malicious scripts into a webpage when users click a malicious link.
By crafting a specially designed URL, attackers can insert arbitrary JavaScript code into the page, enabling them to perform various malicious activities such as session hijacking, phishing redirects, or malware distribution. The vulnerability arises from the fact that the popup-selector value is retrieved directly from the URL and injected into the page without validation or escaping of its content. This flaw allows an attacker to execute their malicious code on the victim’s browser by simply tricking the user into clicking the infected link.
The plugin’s developers, WPDeveloper, have since released a patch in version 6.0.15 to address this security issue.
The update includes a fix that implements strict input validation, ensuring that the popup-selector parameter can only contain alphanumeric characters and specific safe symbols. WordPress administrators are strongly advised to update to at least version 6.0.15 to avoid falling victim to this attack. For users unable to update immediately, disabling the plugin is recommended until the patch can be applied.
This incident serves as a reminder of the persistent security risks that exist within the WordPress ecosystem, particularly in popular plugins with large user bases. The vulnerability in Essential Addons for Elementor highlights the potential for widespread exploitation of XSS flaws, which can lead to large-scale compromises. WordPress users are encouraged to enable auto-updates for their plugins and regularly conduct security audits to minimize the risk of such vulnerabilities being exploited in the future.
