The Simple Link Directory plugin for WordPress contains an improper neutralization of user input during page rendering that allows a reflected cross‑site scripting vulnerability. An attacker can inject arbitrary JavaScript that is executed in the context of a victim’s browser when the crafted payload is reflected back to them, enabling session hijacking, phishing or content defacement. This weakness is classified as CWE‑79.

The quantumcloud Simple Link Directory plugin, versions older than 14.8.1, are affected. Any installation that has not upgraded past 14.8.1 is vulnerable and may be exposed when a user receives or visits a malicious URL constructed with unsanitized query parameters or form input.

The CVSS score of 7.1 indicates a high severity assessment. The EPSS score of less than 1% signals a low likelihood of widespread exploitation, but the vulnerability remains a viable target for deliberate attacker campaigns. It is not listed in the CISA KEV catalog. The likely attack vector is remote, where an attacker crafts a malicious link or form submission that contains JavaScript, which is then returned in the plugin’s response and executed within the victim’s browser. Successful exploitation could compromise the confidentiality and integrity of the victim’s session data.