Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered stored payload (AV:N), low-privilege write required (PR:L per reporter), victim page-visit triggers execution (UI:R), scope changes to victim browsers (S:C), with session/DOM impact (C:L/I:L) but no availability harm.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Simple Link Directory through 9.0.4 interpolates the sld_no_results_found option into a JavaScript string literal without encoding. Because sanitize_text_field leaves quotes intact, a stored payload breaks out of the string and runs script for every page visitor.
AnalysisAI
Stored cross-site scripting in Simple Link Directory (WordPress plugin by QuantumCloud) through version 9.0.4 allows a low-privileged attacker to permanently inject arbitrary JavaScript into the plugin's 'no results found' output. The root cause is that the sld_no_results_found option value is interpolated directly into a JavaScript string literal without HTML or JavaScript encoding - WordPress's sanitize_text_field function is misapplied here because it strips tags but preserves quote characters, enabling quote-breakout from the JS string context. Every visitor to any page rendering the link directory widget executes the payload, making this a persistent, wide-blast stored XSS with no public exploit identified at time of analysis.
Technical ContextAI
Simple Link Directory is a WordPress plugin (CPE: cpe:2.3:a:quantumcloud:simple_link_directory:*:*:*:*:*:*:*:*) that presents categorized hyperlink collections. The vulnerable sink is a server-side PHP option value - sld_no_results_found - concatenated into a JavaScript string literal in page output (e.g., var message = '[OPTION VALUE]'). WordPress's sanitize_text_field() is applied at input time, which strips HTML tags and certain characters but deliberately preserves single and double quotes, making it inappropriate for JavaScript string contexts. CWE-79 (Improper Neutralization of Input During Web Page Generation) applies specifically in the stored XSS variant: the payload is written once by a privileged actor and then reflected to every subsequent page visitor without escaping. The correct control would be wp_json_encode() or esc_js() at the output stage.
RemediationAI
No vendor-released patch version is independently confirmed in the available data - affected organizations should monitor the plugin's WordPress.org changelog at https://wordpress.org/plugins/simple-link-directory/ and the VulnCheck advisory at https://www.vulncheck.com/advisories/simple-link-directory-through-stored-xss-via-sld-no-results-found-option for an updated release. As an immediate compensating control, administrators should audit and clear the sld_no_results_found option value in the WordPress options table (wp_options, option_name = 'sld_no_results_found') to remove any existing malicious payload. Restricting plugin settings modification to known-trusted administrator accounts via role hardening (removing plugin editing capability from Contributor and Editor roles) reduces the attack surface while a patch is awaited. Deploying a web application firewall rule to block quote characters in the relevant plugin settings submission endpoint is an additional layer but carries a trade-off of breaking legitimate customization of that field.
More in Simple Link Directory
View allThe Simple Link Directory WordPress plugin before 7.7.2 does not validate and escape the post_id parameter before using
Cross-site scripting in the Simple Link Directory WordPress plugin (versions 15.0.5 and earlier, by QuantumCloud) allows
Stored cross-site scripting in the QuantumCloud Simple Link Directory WordPress plugin (versions through 9.0.4) allows l
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36142
GHSA-8xmc-m5c8-64g5