WordPress Security Alert: Elementor Addons Vulnerability Puts 2 Million Sites at Risk!

A reflected XSS vulnerability in Essential Addons for Elementor threatens over two million WordPress sites. Discovered by Patchstack Alliance researcher xssium, the flaw allows malicious scripts via the popup-selector query. Thankfully, WPDeveloper’s fix in version 6.0.15 now enforces stricter validation. Keep those popups safe, folks!

3P
Published: February 24, 2025 5:05 pmAdded: February 24, 2025 at 9:12 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Who knew a ‘popup’ could pop more than just your creativity bubble? The Essential Addons for Elementor vulnerability is the new uninvited guest crashing over two million WordPress parties, ready to wreak a little havoc with its XSS shenanigans. Time to show it the door before it eats all the virtual cake!

Key Points:

  • A reflected XSS vulnerability was found in Essential Addons for Elementor, affecting over 2 million WordPress sites.
  • The flaw arose from improper validation of the popup-selector query argument.
  • Identified as CVE-2025-24752, the issue was discovered on September 30, 2024, by researcher xssium.
  • A fix was released in version 6.0.15, enforcing stricter input validation.
  • Developers are reminded to validate and sanitize user input to prevent XSS vulnerabilities.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?