Skip to main content

Simple Link Directory CVE-2026-57682

| EUVDEUVD-2026-41291 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-9547-xvvm-938r
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network-reachable XSS (AV:N/PR:N) needing victim interaction (UI:R); script crosses into browser context (S:C) with limited client-side C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:26 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Simple Link Directory <= 15.0.5 versions.

AnalysisAI

Cross-site scripting in the Simple Link Directory WordPress plugin (versions 15.0.5 and earlier, by QuantumCloud) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser after they interact with a crafted link or page. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) indicates no authentication is required but a user must be lured into triggering the payload, and the changed scope reflects script execution crossing into the browser security context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious script payload
Delivery
Deliver via link or directory submission
Exploit
Victim views affected plugin page
Execution
Script executes in browser context
Impact
Hijack session or perform actions as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires that the vulnerable Simple Link Directory plugin (<= 15.0.5) be installed and its affected front-end feature (submission, search, or listing rendering) be reachable by anonymous users, and it requires user interaction (UI:R) - a victim must open an attacker-crafted link or view attacker-supplied directory content for the payload to fire. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderate and largely consistent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL or directory-submission payload containing malicious JavaScript that the Simple Link Directory plugin renders without sanitization, then distributes the link via email, social media, or a comment. When a victim (potentially a logged-in administrator) clicks or views the page, the script runs in their browser session and can steal cookies, forge admin actions, or redirect them. …
Remediation Upgrade the Simple Link Directory plugin to the vendor-fixed release above 15.0.5 as soon as it is confirmed available; No vendor-released patch version identified at time of analysis in the provided data, so consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/qc-simple-link-directory/vulnerability/wordpress-simple-link-directory-plugin-15-0-5-cross-site-scripting-xss-vulnerability) and the WordPress plugin repository for the exact patched version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for Simple Link Directory plugin (QuantumCloud) versions 15.0.5 and earlier; document inventory and affected URLs. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57682 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy