Skip to main content

Simple Link Directory CVE-2026-53741

| EUVDEUVD-2026-36142 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-10 VulnCheck GHSA-8xmc-m5c8-64g5
5.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Network-delivered stored payload (AV:N), low-privilege write required (PR:L per reporter), victim page-visit triggers execution (UI:R), scope changes to victim browsers (S:C), with session/DOM impact (C:L/I:L) but no availability harm.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 10, 2026 - 21:26 vuln.today

DescriptionCVE.org

Simple Link Directory through 9.0.4 interpolates the sld_no_results_found option into a JavaScript string literal without encoding. Because sanitize_text_field leaves quotes intact, a stored payload breaks out of the string and runs script for every page visitor.

AnalysisAI

Stored cross-site scripting in Simple Link Directory (WordPress plugin by QuantumCloud) through version 9.0.4 allows a low-privileged attacker to permanently inject arbitrary JavaScript into the plugin's 'no results found' output. The root cause is that the sld_no_results_found option value is interpolated directly into a JavaScript string literal without HTML or JavaScript encoding - WordPress's sanitize_text_field function is misapplied here because it strips tags but preserves quote characters, enabling quote-breakout from the JS string context. Every visitor to any page rendering the link directory widget executes the payload, making this a persistent, wide-blast stored XSS with no public exploit identified at time of analysis.

Technical ContextAI

Simple Link Directory is a WordPress plugin (CPE: cpe:2.3:a:quantumcloud:simple_link_directory:*:*:*:*:*:*:*:*) that presents categorized hyperlink collections. The vulnerable sink is a server-side PHP option value - sld_no_results_found - concatenated into a JavaScript string literal in page output (e.g., var message = '[OPTION VALUE]'). WordPress's sanitize_text_field() is applied at input time, which strips HTML tags and certain characters but deliberately preserves single and double quotes, making it inappropriate for JavaScript string contexts. CWE-79 (Improper Neutralization of Input During Web Page Generation) applies specifically in the stored XSS variant: the payload is written once by a privileged actor and then reflected to every subsequent page visitor without escaping. The correct control would be wp_json_encode() or esc_js() at the output stage.

RemediationAI

No vendor-released patch version is independently confirmed in the available data - affected organizations should monitor the plugin's WordPress.org changelog at https://wordpress.org/plugins/simple-link-directory/ and the VulnCheck advisory at https://www.vulncheck.com/advisories/simple-link-directory-through-stored-xss-via-sld-no-results-found-option for an updated release. As an immediate compensating control, administrators should audit and clear the sld_no_results_found option value in the WordPress options table (wp_options, option_name = 'sld_no_results_found') to remove any existing malicious payload. Restricting plugin settings modification to known-trusted administrator accounts via role hardening (removing plugin editing capability from Contributor and Editor roles) reduces the attack surface while a patch is awaited. Deploying a web application firewall rule to block quote characters in the relevant plugin settings submission endpoint is an additional layer but carries a trade-off of breaking legitimate customization of that field.

Share

CVE-2026-53741 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy