Essential Addons for Elementor
Reflected Cross Site Scripting
This blog post is about the Essential Addons for Elementor plugin vulnerability. If you're an Essential Addons for Elementor user, please update the plugin to at least version 6.0.15.
✌️ Our users are protected from this vulnerability. Are yours?
Automatically mitigate vulnerabilities in real-time without changing code.
See pricingIdentify vulnerabilities in your plugins and get recommendations for fixes.
Request auditProtect your users, improve server health and earn additional revenue.
Patchstack for hostsAbout the Essential Addons for Elementor plugin
The plugin Essential Addons for Elementor, which has over 2 million active installations, is the most popular extension bundle for the Elementor page builder.
This plugin provides Elementor users with various additional creative elements to use when building pages.
The security vulnerability
The Essential Addons for Elementor plugin suffered from a reflected cross-site scripting (XSS) vulnerability. The vulnerability occurred due to insufficient validation and sanitizing of the popup-selector query argument, allowing for a malicious value to be reflected back at the user. The vulnerability is fixed in version 6.0.15 and has been tracked with CVE-2025-24752.
The underlying vulnerability exists in the src/js/view/general.js file:
------------------ CUT HERE ------------------
$(document).ready(function(){
let resetPasswordParams = new URLSearchParams(location.search);
if ( resetPasswordParams.has('popup-selector') && ( resetPasswordParams.has('eael-lostpassword') || resetPasswordParams.has('eael-resetpassword') ) ){
let popupSelector = resetPasswordParams.get('popup-selector');
if(popupSelector.length){
popupSelector = popupSelector.replace(/_/g," ");
setTimeout(function(){
jQuery(popupSelector).trigger('click');
}, 300);
}
}
});
------------------ CUT HERE ------------------On page load, the function checks for a query argument (also known as a search parameter) called popup-selector. The value of this argument then has any _ symbols replaced with spaces and, without additional validation or sanitization, the value is embedded into the page and triggered as if clicked.
The patch
The vendor patched the issue by adding additional validation to the popup-selector variable. This additional validation allows for only alphanumeric characters and a select group of other characters, preventing the methods generally used for XSS attacks. The patch can be seen below:
Conclusion
When working with user-provided data, developers need to ensure this data is properly validated and sanitized against potential process that could lead to XSS. Additionally, when rendering user-provided data back onto the website, it is important to make sure the content is properly escaped to help ensure potential XSS vulnerability.
Want to learn more about finding and fixing vulnerabilities?
Explore our Academy to master the art of finding and patching vulnerabilities within the WordPress ecosystem. Dive deep into detailed guides on various vulnerability types, from discovery tactics for researchers to robust fixes for developers. Join us and contribute to our growing knowledge base.
Timeline
🤝 You can help us make the Internet a safer place
Streamline your disclosure process to fix vulnerabilities faster and comply with CRA.
Get started for freeProtect your users too! Improve server health and earn added revenue with proactive security.
Patchstack for hostsReport vulnerabilities to our gamified bug bounty program to earn monthly cash rewards.
Learn more
