Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible stored XSS requiring contributor authentication (PR:L), passive victim page-view (UI:R), with cross-site scope change and limited confidentiality/integrity impact on the victim browser.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Simple Link Directory through 9.0.4 echoes embed shortcode attributes into HTML data attributes without escaping in the embedder template. Attackers with contributor access can craft a shortcode attribute that injects an event handler executing in a viewer's browser.
AnalysisAI
Stored cross-site scripting in the QuantumCloud Simple Link Directory WordPress plugin (versions through 9.0.4) allows low-privileged contributors to inject arbitrary JavaScript via unsanitized embed shortcode attributes that are reflected into HTML data attributes. When an authenticated user with contributor-level access publishes or embeds content containing a maliciously crafted shortcode, any viewer who loads the affected page executes attacker-controlled JavaScript in their browser context. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA KEV, though the low privilege requirement broadens the realistic attacker pool on multi-author WordPress installations.
Technical ContextAI
The vulnerability resides in the WordPress plugin Simple Link Directory by QuantumCloud, identified via CPE cpe:2.3:a:quantumcloud:simple_link_directory:*:*:*:*:*:*:*:*. The plugin provides an embed shortcode mechanism that accepts developer-defined attributes; these attributes are passed through to an embedder template and written directly into HTML data attributes (e.g., data-foo='[VALUE]') without output encoding or sanitization. This represents a classic CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting) root cause: untrusted input from shortcode arguments is interpolated into rendered HTML without HTML entity encoding or context-aware escaping. Because the payload is persisted in post content and executed on page load for every viewer, this is classified as stored (persistent) XSS rather than reflected. The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:P confirms: network-accessible, low complexity, low privilege to inject, and passive user interaction (page view) to trigger.
RemediationAI
Update Simple Link Directory to a version above 9.0.4 once a patched release is confirmed available - monitor the plugin changelog at https://wordpress.org/plugins/simple-link-directory/ and the VulnCheck advisory at https://www.vulncheck.com/advisories/simple-link-directory-through-stored-xss-via-embed-shortcode-attributes for a confirmed fix version. No exact patched version has been independently confirmed from the available data, so installations should verify via the WordPress admin dashboard that any update resolves the shortcode escaping issue. As an immediate compensating control, restrict the contributor role to only fully trusted users, or temporarily disable the embed shortcode feature if it is not required - note that disabling it may break existing embeds across the site. Deploying a web application firewall rule targeting XSS patterns in shortcode parameters can reduce risk but should not be treated as a permanent substitute for the vendor patch, as WAF bypass techniques are widely known.
More in Simple Link Directory
View allThe Simple Link Directory WordPress plugin before 7.7.2 does not validate and escape the post_id parameter before using
Cross-site scripting in the Simple Link Directory WordPress plugin (versions 15.0.5 and earlier, by QuantumCloud) allows
Stored cross-site scripting in Simple Link Directory (WordPress plugin by QuantumCloud) through version 9.0.4 allows a l
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36143
GHSA-w47h-mhf5-ch25