Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Unauthenticated network-reachable XSS (AV:N/PR:N) needing victim interaction (UI:R); script crosses into browser context (S:C) with limited client-side C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Simple Link Directory <= 15.0.5 versions.
AnalysisAI
Cross-site scripting in the Simple Link Directory WordPress plugin (versions 15.0.5 and earlier, by QuantumCloud) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser after they interact with a crafted link or page. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) indicates no authentication is required but a user must be lured into triggering the payload, and the changed scope reflects script execution crossing into the browser security context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the vulnerable Simple Link Directory plugin (<= 15.0.5) be installed and its affected front-end feature (submission, search, or listing rendering) be reachable by anonymous users, and it requires user interaction (UI:R) - a victim must open an attacker-crafted link or view attacker-supplied directory content for the payload to fire. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are moderate and largely consistent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL or directory-submission payload containing malicious JavaScript that the Simple Link Directory plugin renders without sanitization, then distributes the link via email, social media, or a comment. When a victim (potentially a logged-in administrator) clicks or views the page, the script runs in their browser session and can steal cookies, forge admin actions, or redirect them. … |
| Remediation | Upgrade the Simple Link Directory plugin to the vendor-fixed release above 15.0.5 as soon as it is confirmed available; No vendor-released patch version identified at time of analysis in the provided data, so consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/qc-simple-link-directory/vulnerability/wordpress-simple-link-directory-plugin-15-0-5-cross-site-scripting-xss-vulnerability) and the WordPress plugin repository for the exact patched version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress installations for Simple Link Directory plugin (QuantumCloud) versions 15.0.5 and earlier; document inventory and affected URLs. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Simple Link Directory
View allThe Simple Link Directory WordPress plugin before 7.7.2 does not validate and escape the post_id parameter before using
Stored cross-site scripting in the QuantumCloud Simple Link Directory WordPress plugin (versions through 9.0.4) allows l
Stored cross-site scripting in Simple Link Directory (WordPress plugin by QuantumCloud) through version 9.0.4 allows a l
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41291
GHSA-9547-xvvm-938r