Skip to content

Popular WordPress Plugin Under Cyberattack: Vulnerability Threatens Millions of Websites

In today’s world, website security is becoming an increasingly critical issue. A vulnerability has been discovered in a widely used WordPress plugin, potentially exposing millions of websites to cyberattacks. The affected plugin is Essential Addons for Elementor. The discovered vulnerability (CVE-2025-24752) allows attackers to inject malicious code into the website and deceive users.

The vulnerability was caused by insufficient validation of user input. In the src/js/view/general.js file of the plugin, the popup-selector parameter was improperly sanitized. This meant that an attacker could insert malicious JavaScript code through the URL, which would then be reflected back to users without proper validation.

Due to this vulnerability, attackers could:

  • Hijack user sessions (Session Hijacking): Gain control over user accounts on the site.
  • Conduct phishing attacks: Redirect users to fake pages to steal their confidential information.
  • Obtain administrative privileges: Gain unauthorized access to the WordPress admin panel.

The vulnerability received a CVSS score of 7.1, classifying it as a high-risk issue. This is a significant threat, as Essential Addons for Elementor is actively used on more than 2 million websites worldwide.

Security researcher xssium reported the vulnerability through the Patchstack Alliance, and the WPDeveloper team fixed the issue in version 6.0.15. The implemented fixes included:

  • Strict input validation: The popup-selector parameter now only accepts letters, numbers, and a limited set of symbols (-, .).
  • Proper data filtering: Dangerous characters that could be used by attackers have been entirely removed.
  • Protection on both server and client sides: Data validation is now performed not only in the browser but also on the server.

This incident highlights several essential cybersecurity principles:

  1. Strict input validation.
    • All user inputs should be validated using a whitelist approach.
    • Instead of merely blocking harmful characters, only explicitly allowed values should be accepted.
  2. The need for third-party plugin security monitoring.
    • Popular plugins are frequently targeted, making regular updates essential.
    • Using WordPress security plugins can help mitigate risks.
  3. Multi-layered protection.
    • Data should be validated both on the server and in the browser.
    • The use of a Web Application Firewall (WAF) is recommended for additional security.

If your website uses Essential Addons for Elementor, follow these steps:

Update the plugin to version 6.0.15 or later.

Scan your website for potential cross-site scripting (XSS) vulnerabilities.

Use a Web Application Firewall (WAF) or security plugins to prevent attacks.

Enable two-factor authentication (2FA) for administrator accounts and other critical logins.

With the increasing number of cyber threats, website security must be a top priority. The discovered vulnerability in Essential Addons for Elementor once again proves the necessity of regular updates and strict security measures. WordPress administrators should ensure timely updates, implement cybersecurity measures, and carefully verify the reliability of third-party plugins.

Developers must also prioritize strict filtering of user input and secure data processing. Only by doing so can we minimize the risks of attacks and create a safer digital environment.