Skip to main content

Simple Link Directory EUVDEUVD-2026-36143

| CVE-2026-53742 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-10 VulnCheck GHSA-w47h-mhf5-ch25
5.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Network-accessible stored XSS requiring contributor authentication (PR:L), passive victim page-view (UI:R), with cross-site scope change and limited confidentiality/integrity impact on the victim browser.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 10, 2026 - 21:27 vuln.today

DescriptionCVE.org

Simple Link Directory through 9.0.4 echoes embed shortcode attributes into HTML data attributes without escaping in the embedder template. Attackers with contributor access can craft a shortcode attribute that injects an event handler executing in a viewer's browser.

AnalysisAI

Stored cross-site scripting in the QuantumCloud Simple Link Directory WordPress plugin (versions through 9.0.4) allows low-privileged contributors to inject arbitrary JavaScript via unsanitized embed shortcode attributes that are reflected into HTML data attributes. When an authenticated user with contributor-level access publishes or embeds content containing a maliciously crafted shortcode, any viewer who loads the affected page executes attacker-controlled JavaScript in their browser context. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA KEV, though the low privilege requirement broadens the realistic attacker pool on multi-author WordPress installations.

Technical ContextAI

The vulnerability resides in the WordPress plugin Simple Link Directory by QuantumCloud, identified via CPE cpe:2.3:a:quantumcloud:simple_link_directory:*:*:*:*:*:*:*:*. The plugin provides an embed shortcode mechanism that accepts developer-defined attributes; these attributes are passed through to an embedder template and written directly into HTML data attributes (e.g., data-foo='[VALUE]') without output encoding or sanitization. This represents a classic CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting) root cause: untrusted input from shortcode arguments is interpolated into rendered HTML without HTML entity encoding or context-aware escaping. Because the payload is persisted in post content and executed on page load for every viewer, this is classified as stored (persistent) XSS rather than reflected. The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:P confirms: network-accessible, low complexity, low privilege to inject, and passive user interaction (page view) to trigger.

RemediationAI

Update Simple Link Directory to a version above 9.0.4 once a patched release is confirmed available - monitor the plugin changelog at https://wordpress.org/plugins/simple-link-directory/ and the VulnCheck advisory at https://www.vulncheck.com/advisories/simple-link-directory-through-stored-xss-via-embed-shortcode-attributes for a confirmed fix version. No exact patched version has been independently confirmed from the available data, so installations should verify via the WordPress admin dashboard that any update resolves the shortcode escaping issue. As an immediate compensating control, restrict the contributor role to only fully trusted users, or temporarily disable the embed shortcode feature if it is not required - note that disabling it may break existing embeds across the site. Deploying a web application firewall rule targeting XSS patterns in shortcode parameters can reduce risk but should not be treated as a permanent substitute for the vendor patch, as WAF bypass techniques are widely known.

Share

EUVD-2026-36143 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy