CVE-2025-24752
published 2025-04-17CVE-2025-24752: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Essential Addons for Elementor…
PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.16%
63.1th percentile
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows Reflected XSS.This issue affects Essential Addons for Elementor: from n/a through <= 6.0.14.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpdeveloper | essential_addons_for_elementor | < 6.0.15 | 6.0.15 |
| wpdeveloper | essential_addons_for_elementor | <= 6.0.14 | — |
Detection & IOCsextracted from sources · hover to see the quote
urleael-lostpassword=1'
- →Reflected XSS triggered via the `eael-lostpassword` query parameter in Essential Addons for Elementor; monitor GET/POST requests containing this parameter with injected script payloads.
- →Detection template uses a DOM-based dialog trigger (`waitdialog`) combined with a random integer reflected in the response body, indicating the XSS payload is reflected directly into the page.
- →Nuclei template fingerprint/digest can be used to identify the specific PoC template targeting this CVE.
- ·Vulnerability affects Essential Addons for Elementor versions from n/a through 6.0.14 (inclusive); versions above 6.0.14 are not confirmed affected. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gp3q-2c8h-jhrv: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Essential Addons for Elementor allow
ghsa_unreviewed·2025-04-17
CVE-2025-24752 [HIGH] CWE-79 GHSA-gp3q-2c8h-jhrv: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Essential Addons for Elementor allow
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Essential Addons for Elementor allows Reflected XSS. This issue affects Essential Addons for Elementor: from n/a through 6.0.14.
VulnCheck
Essential Addons for Elementor Reflected Cross Site Scripting (XSS) Vulnerability
vulncheck·2025·CVSS 6.1
CVE-2025-24752 [MEDIUM] Essential Addons for Elementor Reflected Cross Site Scripting (XSS) Vulnerability
Essential Addons for Elementor Reflected Cross Site Scripting (XSS) Vulnerability
The Essential Addons for Elementor WordPress plugin is vulnerable to insufficient validation and sanitizing of the popup-selector query argument. Versions prior to 6.0.15 are affected.
Affected: WPDeveloper Essential Addons for Elementor
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/wordpress/plugin/essential-addons-for-elementor-lite/vulnerability/wordpress-essential-addons-for-elementor-plugin-6-0-14-reflected-cross-site-scripting-xss-vulnerability
Exploit PoC: https://vulncheck.com/xdb/12c20cdf79c4
No detection rules found.
Nuclei
Essential Addons for Elementor < 6.0.15 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2025-24752 [MEDIUM] Essential Addons for Elementor < 6.0.15 - Cross-Site Scripting
Essential Addons for Elementor &eael-lostpassword=1'
action: navigate
- action: waitdialog
name: subdomain_object_dom
matchers-condition: and
matchers:
- type: dsl
dsl:
- subdomain_object_dom == true
- type: word
part: body
words:
- "{{random_int}}"
case-insensitive: true
# digest: 4a0a00473045022100c2aabebd270ac8a72178abe4cbf0dfd776d956974f5171bfc4bf22e1cc90a9ac02205f696f0ca7e2352b01f0b6c7271fbde0e7dc54532101508ae30b9b1c42fc4e33:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2025-04-17
Published
Exploited in the wild