A vital safety vulnerability in Important Addons for Elementor has been recognized, probably impacting over two million WordPress web sites.
The flaw, a mirrored cross-site scripting (XSS) vulnerability, was found resulting from inadequate validation of the popup-selector question argument, permitting malicious scripts to be executed.
The difficulty, tracked with CVE-2025-24752, was first uncovered by Patchstack Alliance researcher xssium on September 30, 2024. After notifying the plugin vendor, a repair was carried out in model 6.0.15.
Understanding the Vulnerability
Important Addons for Elementor is the preferred extension for the Elementor web page builder, counting over 2 million lively installations.
It enhances Elementor’s performance by offering further inventive components that assist customers design extra dynamic and visually interesting internet pages.
The flaw originated from the src/js/view/normal.js file, the place the plugin didn’t correctly sanitize the popup-selector argument.
When triggered, this might enable attackers to execute malicious scripts by embedding dangerous content material into the web page.
Learn extra on WordPress plugin safety: WordPress ASE Plugin Vulnerability Threatens Web site Safety
How the Patch Fixes the Concern
The WPDeveloper resolved the vulnerability by implementing stricter validation, allowing solely alphanumeric characters and a restricted set of symbols within the popup-selector argument. This prevents frequent XSS assault strategies from exploiting the flaw.
WordPress builders are reminded of the significance of correctly validating and sanitizing user-provided knowledge.
“When working with user-provided knowledge, builders want to make sure this knowledge is correctly validated and sanitized towards potential processes that might result in XSS,” Patchstack warned.
“Moreover, when rendering user-provided knowledge again onto the web site, it is very important ensure that the content material is correctly escaped to assist guarantee potential XSS vulnerability.”
Failure to take action can expose web sites to vital safety dangers, together with unauthorized entry and knowledge breaches.
