Vulnerabilities ›

CVE-2026-4341

Medium

CWE-79 — Weakness Type

                    Published: Apr 8, 2026                      ·  Modified: Apr 11, 2026                      ·  Source: NVD                

CVSS v3

6.4

🔗 NVD Official

📄 Description (English)

The Prime Slider – Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'follow_us_text' setting of the Mount widget in all versions up to, and including, 4.1.10. This is due to insufficient input sanitization and output escaping. Specifically, the `render_social_link()` function in `modules/mount/widgets/mount.php` outputs the `follow_us_text` Elementor widget setting using `echo` without any escaping function. The setting value is stored in `_elementor_data` post meta via `update_post_meta`. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

🤖 AI Executive Summary

The Prime Slider plugin for WordPress contains a Stored XSS vulnerability in the Mount widget's follow_us_text setting that allows authenticated authors to inject malicious scripts. Attackers with Author-level access can execute arbitrary JavaScript when users view affected pages.

📄 Description (Arabic)

تحتوي إضافة Prime Slider على ثغرة Stored XSS في دالة render_social_link() حيث يتم إخراج إعداد follow_us_text بدون تجنب أو تنظيف. يمكن للمهاجمين المصرحين بمستوى المؤلف أو أعلى حقن نصوص برمجية عشوائية يتم تنفيذها عند وصول أي مستخدم إلى الصفحة المتأثرة.

🤖 ملخص تنفيذي (AI)

ثغرة Stored XSS في إضافة Prime Slider لـ WordPress تسمح للمهاجمين المصرحين بمستوى المؤلف بحقن نصوص برمجية ضارة. يمكن تنفيذ JavaScript عشوائي عند وصول المستخدمين إلى الصفحات المتأثرة.

🤖 AI Intelligence Analysis Analyzed: May 13, 2026 23:48

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

government banking telecom

🎯 MITRE ATT&CK Techniques

T1190 T1598 T1566

⚖️ Saudi Risk Score (AI)

6.0

/ 10.0

🔧 Remediation Steps (English)

Update Prime Slider plugin to version 4.1.11 or later immediately. Implement input validation and output escaping for all widget settings. Review user access controls and limit Author-level permissions. Conduct security audit of all Elementor widgets for similar vulnerabilities.

🔧 خطوات المعالجة (العربية)

حدّث إضافة Prime Slider إلى الإصدار 4.1.11 أو أحدث فوراً. طبّق التحقق من المدخلات والهروب من المخرجات لجميع إعدادات الأدوات. راجع عناصر التحكم في الوصول وحدّد صلاحيات مستوى المؤلف. أجرِ تدقيقاً أمنياً لجميع أدوات Elementor للتحقق من ثغرات مماثلة.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.2.1 5.2.2

🔵 SAMA CSF

CC6.1 CC7.2

🟡 ISO 27001:2022

A.14.2.1 A.14.2.5

🔗 References & Sources 6

🔗

https://plugins.trac.wordpress.org/browser/bdthemes-prime-slider-lite/tags/4.1.9/module...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/bdthemes-prime-slider-lite/tags/4.1.9/module...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/bdthemes-prime-slider-lite/trunk/modules/mou...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/bdthemes-prime-slider-lite/trunk/modules/mou...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=349367...

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/4a2ef416-4354-4e09-b9be-e36c1...

security@wordfence.com

📊 CVSS Score

6.4

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeC — Changed

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score6.4

CWECWE-79

EPSS0.04%

Exploit No

Patch ✗ No

Published 2026-04-08

Source Feed nvd

🇸🇦 Saudi Risk Score

6.0

/ 10.0 — Saudi Risk

Priority: MEDIUM

🏷️ Tags

CWE-79

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-4341

💬 Comments

Introduce Yourself

Sign In Required