Simple Link Directory
Monthly
Cross-site scripting in the Simple Link Directory WordPress plugin (versions 15.0.5 and earlier, by QuantumCloud) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser after they interact with a crafted link or page. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) indicates no authentication is required but a user must be lured into triggering the payload, and the changed scope reflects script execution crossing into the browser security context. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Stored cross-site scripting in the QuantumCloud Simple Link Directory WordPress plugin (versions through 9.0.4) allows low-privileged contributors to inject arbitrary JavaScript via unsanitized embed shortcode attributes that are reflected into HTML data attributes. When an authenticated user with contributor-level access publishes or embeds content containing a maliciously crafted shortcode, any viewer who loads the affected page executes attacker-controlled JavaScript in their browser context. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA KEV, though the low privilege requirement broadens the realistic attacker pool on multi-author WordPress installations.
Stored cross-site scripting in Simple Link Directory (WordPress plugin by QuantumCloud) through version 9.0.4 allows a low-privileged attacker to permanently inject arbitrary JavaScript into the plugin's 'no results found' output. The root cause is that the sld_no_results_found option value is interpolated directly into a JavaScript string literal without HTML or JavaScript encoding - WordPress's sanitize_text_field function is misapplied here because it strips tags but preserves quote characters, enabling quote-breakout from the JS string context. Every visitor to any page rendering the link directory widget executes the payload, making this a persistent, wide-blast stored XSS with no public exploit identified at time of analysis.
The Simple Link Directory WordPress plugin before 7.7.2 does not validate and escape the post_id parameter before using it in a SQL statement via the qcopd_upvote_action AJAX action (available to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-site scripting in the Simple Link Directory WordPress plugin (versions 15.0.5 and earlier, by QuantumCloud) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser after they interact with a crafted link or page. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) indicates no authentication is required but a user must be lured into triggering the payload, and the changed scope reflects script execution crossing into the browser security context. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Stored cross-site scripting in the QuantumCloud Simple Link Directory WordPress plugin (versions through 9.0.4) allows low-privileged contributors to inject arbitrary JavaScript via unsanitized embed shortcode attributes that are reflected into HTML data attributes. When an authenticated user with contributor-level access publishes or embeds content containing a maliciously crafted shortcode, any viewer who loads the affected page executes attacker-controlled JavaScript in their browser context. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA KEV, though the low privilege requirement broadens the realistic attacker pool on multi-author WordPress installations.
Stored cross-site scripting in Simple Link Directory (WordPress plugin by QuantumCloud) through version 9.0.4 allows a low-privileged attacker to permanently inject arbitrary JavaScript into the plugin's 'no results found' output. The root cause is that the sld_no_results_found option value is interpolated directly into a JavaScript string literal without HTML or JavaScript encoding - WordPress's sanitize_text_field function is misapplied here because it strips tags but preserves quote characters, enabling quote-breakout from the JS string context. Every visitor to any page rendering the link directory widget executes the payload, making this a persistent, wide-blast stored XSS with no public exploit identified at time of analysis.
The Simple Link Directory WordPress plugin before 7.7.2 does not validate and escape the post_id parameter before using it in a SQL statement via the qcopd_upvote_action AJAX action (available to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.