Skip to main content

Simple Link Directory

4 CVEs product

Monthly

CVE-2026-57682 HIGH This Week

Cross-site scripting in the Simple Link Directory WordPress plugin (versions 15.0.5 and earlier, by QuantumCloud) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser after they interact with a crafted link or page. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) indicates no authentication is required but a user must be lured into triggering the payload, and the changed scope reflects script execution crossing into the browser security context. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

XSS Simple Link Directory
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53742 MEDIUM This Month

Stored cross-site scripting in the QuantumCloud Simple Link Directory WordPress plugin (versions through 9.0.4) allows low-privileged contributors to inject arbitrary JavaScript via unsanitized embed shortcode attributes that are reflected into HTML data attributes. When an authenticated user with contributor-level access publishes or embeds content containing a maliciously crafted shortcode, any viewer who loads the affected page executes attacker-controlled JavaScript in their browser context. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA KEV, though the low privilege requirement broadens the realistic attacker pool on multi-author WordPress installations.

XSS Simple Link Directory
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-53741 MEDIUM This Month

Stored cross-site scripting in Simple Link Directory (WordPress plugin by QuantumCloud) through version 9.0.4 allows a low-privileged attacker to permanently inject arbitrary JavaScript into the plugin's 'no results found' output. The root cause is that the sld_no_results_found option value is interpolated directly into a JavaScript string literal without HTML or JavaScript encoding - WordPress's sanitize_text_field function is misapplied here because it strips tags but preserves quote characters, enabling quote-breakout from the JS string context. Every visitor to any page rendering the link directory widget executes the payload, making this a persistent, wide-blast stored XSS with no public exploit identified at time of analysis.

XSS Simple Link Directory
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2022-0760 CRITICAL POC PATCH THREAT Act Now

The Simple Link Directory WordPress plugin before 7.7.2 does not validate and escape the post_id parameter before using it in a SQL statement via the qcopd_upvote_action AJAX action (available to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi WordPress Simple Link Directory
NVD WPScan
CVSS 3.1
9.8
EPSS
10.8%
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site scripting in the Simple Link Directory WordPress plugin (versions 15.0.5 and earlier, by QuantumCloud) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser after they interact with a crafted link or page. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) indicates no authentication is required but a user must be lured into triggering the payload, and the changed scope reflects script execution crossing into the browser security context. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

XSS Simple Link Directory
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored cross-site scripting in the QuantumCloud Simple Link Directory WordPress plugin (versions through 9.0.4) allows low-privileged contributors to inject arbitrary JavaScript via unsanitized embed shortcode attributes that are reflected into HTML data attributes. When an authenticated user with contributor-level access publishes or embeds content containing a maliciously crafted shortcode, any viewer who loads the affected page executes attacker-controlled JavaScript in their browser context. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA KEV, though the low privilege requirement broadens the realistic attacker pool on multi-author WordPress installations.

XSS Simple Link Directory
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored cross-site scripting in Simple Link Directory (WordPress plugin by QuantumCloud) through version 9.0.4 allows a low-privileged attacker to permanently inject arbitrary JavaScript into the plugin's 'no results found' output. The root cause is that the sld_no_results_found option value is interpolated directly into a JavaScript string literal without HTML or JavaScript encoding - WordPress's sanitize_text_field function is misapplied here because it strips tags but preserves quote characters, enabling quote-breakout from the JS string context. Every visitor to any page rendering the link directory widget executes the payload, making this a persistent, wide-blast stored XSS with no public exploit identified at time of analysis.

XSS Simple Link Directory
NVD
EPSS 11% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The Simple Link Directory WordPress plugin before 7.7.2 does not validate and escape the post_id parameter before using it in a SQL statement via the qcopd_upvote_action AJAX action (available to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi WordPress Simple Link Directory
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy