{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4341", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-17T15:32:13.723Z", "datePublished": "2026-04-08T03:36:08.934Z", "dateUpdated": "2026-04-08T16:50:40.549Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:50:40.549Z"}, "affected": [{"vendor": "bdthemes", "product": "Prime Slider \u2013 Addons for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.1.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Prime Slider \u2013 Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'follow_us_text' setting of the Mount widget in all versions up to, and including, 4.1.10. This is due to insufficient input sanitization and output escaping. Specifically, the `render_social_link()` function in `modules/mount/widgets/mount.php` outputs the `follow_us_text` Elementor widget setting using `echo` without any escaping function. The setting value is stored in `_elementor_data` post meta via `update_post_meta`. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Prime Slider <= 4.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'follow_us_text' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4a2ef416-4354-4e09-b9be-e36c1f655110?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-prime-slider-lite/trunk/modules/mount/widgets/mount.php#L1027"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-prime-slider-lite/tags/4.1.9/modules/mount/widgets/mount.php#L1027"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-prime-slider-lite/trunk/modules/mount/widgets/mount.php#L230"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-prime-slider-lite/tags/4.1.9/modules/mount/widgets/mount.php#L230"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3493676%40bdthemes-prime-slider-lite&new=3493676%40bdthemes-prime-slider-lite&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "timeline": [{"time": "2026-03-17T15:47:39.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T15:20:50.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T15:56:04.299674Z", "id": "CVE-2026-4341", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:56:17.804Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4341", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T15:56:04.299674Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:56:10.628Z"}}], "cna": {"title": "Prime Slider <= 4.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'follow_us_text' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "bdthemes", "product": "Prime Slider \u2013 Addons for Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.1.10"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-17T15:47:39.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-07T15:20:50.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4a2ef416-4354-4e09-b9be-e36c1f655110?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-prime-slider-lite/trunk/modules/mount/widgets/mount.php#L1027"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-prime-slider-lite/tags/4.1.9/modules/mount/widgets/mount.php#L1027"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-prime-slider-lite/trunk/modules/mount/widgets/mount.php#L230"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-prime-slider-lite/tags/4.1.9/modules/mount/widgets/mount.php#L230"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3493676%40bdthemes-prime-slider-lite&new=3493676%40bdthemes-prime-slider-lite&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Prime Slider \u2013 Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'follow_us_text' setting of the Mount widget in all versions up to, and including, 4.1.10. This is due to insufficient input sanitization and output escaping. Specifically, the `render_social_link()` function in `modules/mount/widgets/mount.php` outputs the `follow_us_text` Elementor widget setting using `echo` without any escaping function. The setting value is stored in `_elementor_data` post meta via `update_post_meta`. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T03:36:08.934Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4341", "state": "PUBLISHED", "dateUpdated": "2026-04-08T15:56:17.804Z", "dateReserved": "2026-03-17T15:32:13.723Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T03:36:08.934Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Prime Slider \u2013 Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'follow_us_text' setting of the Mount widget in all versions up to, and including, 4.1.10. This is due to insufficient input sanitization and output escaping. Specifically, the `render_social_link()` function in `modules/mount/widgets/mount.php` outputs the `follow_us_text` Elementor widget setting using `echo` without any escaping function. The setting value is stored in `_elementor_data` post meta via `update_post_meta`. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-4341", "lastModified": "2026-04-08T21:26:35.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T05:16:06.840", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bdthemes-prime-slider-lite/tags/4.1.9/modules/mount/widgets/mount.php#L1027"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bdthemes-prime-slider-lite/tags/4.1.9/modules/mount/widgets/mount.php#L230"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bdthemes-prime-slider-lite/trunk/modules/mount/widgets/mount.php#L1027"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bdthemes-prime-slider-lite/trunk/modules/mount/widgets/mount.php#L230"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3493676%40bdthemes-prime-slider-lite&new=3493676%40bdthemes-prime-slider-lite&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4a2ef416-4354-4e09-b9be-e36c1f655110?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.1.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Prime Slider \u2013 Addons for Elementor", "source": "cna", "vendor": "bdthemes"}, "product": "prime_slider_\u2013_addons_for_elementor", "vendor": "bdthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T05:22:27.241887+00:00", "value": {"mitigation_remediation": ["Upgrade Prime Slider \u2013 Addons for Elementor to the latest patched release if one exists.", "If an upgrade is not available, disable the Mount widget or the entire plugin to remove the XSS vector.", "Limit Author or higher privileges to trusted users only, preventing unauthorized widget edits.", "Apply additional security measures such as a content\u2011security\u2011policy header or a security plugin that sanitizes user input."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All WordPress installations running Prime Slider \u2013 Addons for Elementor up to and including version 4.1.10 are affected due to the render_social_link() function in modules/mount/widgets/mount.php.", "description_and_impact": "Prime Slider \u2013 Addons for Elementor is vulnerable to stored cross\u2011site scripting through the follow_us_text setting in the Mount widget. The plugin fails to sanitize or escape this setting when outputting it, allowing an authenticated user with Author level or higher to inject arbitrary JavaScript into the widget\u2019s output. Once stored, the script runs whenever a page containing the widget is viewed, potentially exposing data or controlling the user session.", "risk_and_exploitability": "The CVSS score is 6.4 and the vulnerability is not listed in KEV, indicating no widespread exploitation to date. An attacker must first authenticate to the WordPress admin interface with at least Author access to modify the widget setting. After injecting malicious code, the attacker can achieve client\u2011side script execution on any user that views the affected page. While there is no publicly documented exploit, the lack of input validation makes the vulnerability readily exploitable by anyone who can reach the editor."}}}}, "created": "2026-04-08T19:33:26.855570+00:00", "updated": "2026-04-08T19:44:03.034253+00:00", "vendors": ["bdthemes", "bdthemes$PRODUCT$prime_slider_\u2013_addons_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}