WWordPress Vulnerability Database

Cross Site Scripting Risk in Prime Slider(CVE20264341)

Cross Site Scripting (XSS) in WordPress Prime Slider – Addons For Elementor Plugin
0
Shares
0
0
0
0
Plugin Name WordPress Prime Slider – Addons For Elementor Plugin
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2026-4341
Urgency Medium
CVE Publish Date 2026-04-07
Source URL CVE-2026-4341






WordPress Prime Slider <= 4.1.10 — Authenticated Stored XSS via follow_us_text (CVE-2026-4341)


WordPress Prime Slider ≤ 4.1.10 — Authenticated Stored XSS via follow_us_text (CVE-2026-4341)

Author: Hong Kong Security Expert — Published: 2026-04-08 — Tags: WordPress, Security, XSS, Prime Slider, Vulnerability

Summary: A stored Cross-Site Scripting (XSS) vulnerability affecting Prime Slider – Addons For Elementor (≤ 4.1.10) permits authenticated users with author-level (or higher) privileges to inject script via the follow_us_text parameter. Tracked as CVE-2026-4341; fixed in 4.1.11. This advisory explains risk, detection, remediation, searches, and practical virtual-patch examples.

Background and impact

On 7 April 2026 a stored XSS vulnerability was disclosed affecting Prime Slider – Addons For Elementor (versions up to and including 4.1.10). The plugin stored a value from the follow_us_text parameter without sufficient sanitization or output escaping. An authenticated user (author-level or higher) could inject HTML/JavaScript that is stored and later executed in other users’ browsers when the value is rendered.

The issue is recorded as CVE-2026-4341 and was fixed in version 4.1.11. Although the reported CVSS is moderate (~5.9), stored XSS is high-risk in practice: attackers can steal session tokens, act as admins, persist redirects, or install further backdoors.

Who is at risk

  • Sites running Prime Slider – Addons For Elementor plugin version 4.1.10 or earlier.
  • Sites that allow non-admin authenticated users (Author/Contributor) to create or edit slider content.
  • Sites where follow_us_text is rendered to pages viewed by administrators, editors, or unauthenticated visitors.
  • Multisite networks where the plugin is network-active.

Even low-traffic sites can be targeted or discovered by automated scanning. Treat this as actionable: check versions and patch quickly.

How the vulnerability works (high level)

  1. follow_us_text is a plugin setting/editable field saved to the database (options, postmeta, or plugin settings).
  2. Input handling does not properly sanitize or escape dangerous input (script tags, event attributes).
  3. On output, stored HTML/JS executes in visitors’ browsers. Persistence makes the payload effective across sessions.
  4. An author-level attacker can inject a payload that executes when administrators or other privileged users view the slider.
  5. Consequences include cookie theft, session hijack, CSRF-style privileged actions, or delivery of secondary payloads.

Exploitation scenarios and attacker goals

  • Privilege escalation pivot: capture admin session/cookies when admin views affected pages.
  • Persistent malware drop: inject scripts that load external malware, ads, or spam.
  • Social engineering & redirects: show fake admin prompts or redirect to phishing/monetized sites.
  • SEO poisoning / spam insertion: hide links or content that degrade reputation and rankings.
  • Second-stage delivery: use XSS to perform authenticated actions (upload plugin, change options).

Safe detection and indicators of compromise

Focus on stored content and behavioral signs:

  • Unexpected inline