Full Report
Elementor plugin flaw puts 2m WordPress websites at risk, allowing XSS attacks via malicious scripts
Analysis Summary
# Vulnerability: Essential Addons for Elementor Reflected Cross-Site Scripting (XSS)
## CVE Details
- CVE ID: CVE-2025-24752
- CVSS Score: Information not provided in the text. (Severity: Critical due to high impact, but score pending official calculation)
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
## Affected Systems
- Products: Essential Addons for Elementor (WordPress Plugin)
- Versions: Versions prior to 6.0.15
- Configurations: Any configuration running the vulnerable plugin version. The vulnerability is triggered via the `popup-selector` query argument.
## Vulnerability Description
A reflected Cross-Site Scripting (XSS) vulnerability exists in the Essential Addons for Elementor plugin due to insufficient validation and sanitization of the `popup-selector` query argument. An attacker can exploit this flaw by injecting malicious scripts into the parameter, which are then executed by the application within the context of a user's browser session. The vulnerability stems from flaws in the `src/js/view/general.js` file.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but a Proof of Concept (PoC) research was conducted.
- Complexity: Likely Low to Medium, typical for reflected XSS where users only need to click a crafted link.
- Attack Vector: Network (Remote).
## Impact
- Confidentiality: High (Potential for session hijacking, credential theft)
- Integrity: High (Potential for unauthorized actions on behalf of the user)
- Availability: Low (Primarily an information disclosure/session integrity issue, not directly causing a denial of service)
## Remediation
### Patches
- Patch available in **Essential Addons for Elementor version 6.0.15** and newer.
### Workarounds
- No specific workarounds were detailed, but generally, restricting access to affected pages or implementing robust Web Application Firewall (WAF) rules to filter malicious script payloads in query strings would serve as temporary measures until patching.
## Detection
- Indicators of Compromise: Look for unusual script tags or encoded payloads within URLs containing the `popup-selector` parameter on your WordPress sites.
- Detection Methods and Tools: Security scanners and WAFs configured to detect XSS payloads. Monitoring server logs for requests containing suspicious input in query strings.
## References
- Vendor Advisory/Discovery: Patchstack Alliance researcher xssium discovered the issue on September 30, 2024.
- Relevant links:
- infosecurity-magazine.com/news/elementor-plugin-vulnerability-2m/ (Defanged)
- infosecurity-magazine.com/news/wordpress-ase-plugin-flaw/ (Defanged)