Millions of WordPress Sites at Risk Due to Plugin Script Injection Vulnerability

A critical security flaw in the Essential Addons for Elementor plugin (CVE-2025-24752) has exposed over two million WordPress websites to cross-site scripting (XSS) attacks.

The vulnerability, found in the plugin’s handling of user inputs, allowed attackers to inject malicious scripts through specially crafted URLs. Although patched in version 6.0.15, this incident highlights the need for strict input validation in web development.

As the most widely used extension bundle for the Elementor page builder, Essential Addons for Elementor boasts over two million active installations. The plugin enhances WordPress functionality with 100+ design elements, including advanced data tables, WooCommerce integrations, and dynamic galleries. However, its widespread adoption makes it an attractive target for cybercriminals aiming to exploit vulnerabilities at scale.

Vulnerability Enables Script Injection Attacks

The flaw originated from improper sanitization of the popup-selector query parameter in the plugin’s src/js/view/general.js file. Attackers could manipulate this parameter by embedding malicious JavaScript payloads in URLs, which the plugin would reflect back to users without proper validation.

The vulnerable code replaced underscores with spaces but failed to filter out other harmful characters, enabling attackers to execute scripts in victims’ browsers.

This vulnerability received a CVSS score of 7.1, categorizing it as high severity. If exploited, it could enable session hijacking, phishing attacks, or unauthorized administrative access.

Security researcher xssium identified and reported the flaw through the Patchstack Alliance. In response, WPDeveloper patched the issue in version 6.0.15 by enforcing strict input validation for the popup-selector parameter.

The updated code limits allowed characters to alphanumerics and a restricted set of symbols (e.g., -, .), effectively eliminating XSS attack vectors.

The fix exemplifies a defense-in-depth strategy by integrating both client-side and server-side validation—an essential best practice for preventing injection attacks.

This incident underscores three key takeaways for web developers:

• Input Validation: User-supplied data must undergo strict whitelisting rather than relying on blacklisting known malicious characters.
• Third-Party Risk: Widely used plugins significantly expand the attack surface, making regular security audits and automated updates crucial.
• Defense Layering: Implementing both client-side and server-side controls minimizes the risk of exploit chaining.

Administrators should update to Essential Addons for Elementor 6.0.15 or later without delay. By prioritizing security hygiene and adopting a zero-trust approach to user inputs, the web development community can better safeguard against emerging threats in an increasingly hostile digital landscape.