The Simple Link Directory Pro plugin for WordPress implements database queries without properly neutralizing special characters in user input. This allows an attacker to craft input that injects arbitrary SQL commands, potentially reading, modifying, or deleting sensitive information stored in the WordPress database. The vulnerability stems from a failure to escape or validate data before it is incorporated into an SQL statement, aligning with CWE‑89. The attacker could use the plugin’s exposed input fields to execute malicious queries, leading to unintended disclosure of private data or compromise of site integrity.

The flaw exists in the quantumcloud Simple Link Directory plug‑in for WordPress, affecting all released versions prior to 14.8.1. Sites running this plug‑in before that version are vulnerable, regardless of the underlying WordPress or hosting environment.

This issue carries a CVSS score of 8.5, indicating a high severity. The EPSS score is reported as <1%, showing a very low probability of exploitation based on current data. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. Nevertheless, the potential for unauthorized database access is significant, likely via crafted HTTP requests or other web input to the plugin’s public interfaces.