The Prime Slider – Addons for Elementor plugin suffers from a stored cross-site scripting vulnerability (CWE-79) due to insufficient input sanitization and output escaping of the 'follow_us_text' setting in the Mount widget. The vulnerable code path is in the `render_social_link()` function within `modules/mount/widgets/mount.php`, which outputs the setting value directly via `echo` without escaping. The setting is stored in the WordPress post meta `_elementor_data` via `update_post_meta`. Authenticated attackers with Author-level privileges or higher can inject arbitrary JavaScript that executes in the context of users visiting the compromised page. This vulnerability affects all versions up to 4.1.10. No patch or official fix has been published yet.

Successful exploitation allows an authenticated user with Author-level access or higher to inject persistent malicious scripts into pages using the vulnerable widget setting. These scripts execute in the browsers of any users who view the infected page, potentially leading to session hijacking, defacement, or other client-side attacks. The vulnerability does not affect availability and requires low attack complexity with no user interaction. Confidentiality and integrity impacts are limited to the scope of script execution in the victim's browser.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Author-level access to trusted users only and consider disabling or removing the Prime Slider – Addons for Elementor plugin if possible. Monitor for updates from bdthemes and apply patches promptly once available.