Essential Addons for Elementor
Reflected Cross Site Scripting
This blog post is about the Essential Addons for Elementor plugin vulnerability. If you’re an Essential Addons for Elementor user, please update the plugin to at least version 6.0.15.
If you are a Patchstack customer, you are protected from this vulnerability already, and no further action is required from you.
For plugin developers, we have security audit services and Enterprise API for hosting companies.
About the Essential Addons for Elementor plugin
The plugin Essential Addons for Elementor, which has over 2 million active installations, is the most popular extension bundle for the Elementor page builder.
This plugin provides Elementor users with various additional creative elements to use when building pages.
The security vulnerability
The Essential Addons for Elementor plugin suffered from a reflected cross-site scripting (XSS) vulnerability. The vulnerability occurred due to insufficient validation and sanitizing of the popup-selector query argument, allowing for a malicious value to be reflected back at the user. The vulnerability is fixed in version 6.0.15 and has been tracked with CVE-2025-24752.
The underlying vulnerability exists in the src/js/view/general.js file:
------------------ CUT HERE ------------------
$(document).ready(function(){
let resetPasswordParams = new URLSearchParams(location.search);
if ( resetPasswordParams.has('popup-selector') && ( resetPasswordParams.has('eael-lostpassword') || resetPasswordParams.has('eael-resetpassword') ) ){
let popupSelector = resetPasswordParams.get('popup-selector');
if(popupSelector.length){
popupSelector = popupSelector.replace(/_/g," ");
setTimeout(function(){
jQuery(popupSelector).trigger('click');
}, 300);
}
}
});
------------------ CUT HERE ------------------On page load, the function checks for a query argument (also known as a search parameter) called popup-selector. The value of this argument then has any _ symbols replaced with spaces and, without additional validation or sanitization, the value is embedded into the page and triggered as if clicked.
The patch
The vendor patched the issue by adding additional validation to the popup-selector variable. This additional validation allows for only alphanumeric characters and a select group of other characters, preventing the methods generally used for XSS attacks. The patch can be seen below:
Conclusion
When working with user-provided data, developers need to ensure this data is properly validated and sanitized against potential process that could lead to XSS. Additionally, when rendering user-provided data back onto the website, it is important to make sure the content is properly escaped to help ensure potential XSS vulnerability.
Want to learn more about finding and fixing vulnerabilities?
Explore our Academy to master the art of finding and patching vulnerabilities within the WordPress ecosystem. Dive deep into detailed guides on various vulnerability types, from discovery tactics for researchers to robust fixes for developers. Join us and contribute to our growing knowledge base.
Timeline
Help us make the Internet a safer place
Making the WordPress ecosystem more secure is a team effort, and we believe that plugin developers and security researchers should work together.
- If you’re a plugin developer, join our mVDP program that makes it easier to report, manage and address vulnerabilities in your software.
- If you’re a security researcher, join Patchstack Alliance to report vulnerabilities & earn rewards.
