Description
Simple Link Directory through 9.0.4 interpolates the sld_no_results_found option into a JavaScript string literal without encoding. Because sanitize_text_field leaves quotes intact, a stored payload breaks out of the string and runs script for every page visitor.
Published: 2026-06-10
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Simple Link Directory plugin fails to escape the value of the sld_no_results_found option when rendering it inside a JavaScript string literal. The sanitization function keeps quotation marks, so an attacker can store a payload that injects script code. Users visiting any page that loads the option will have the injected script executed, allowing attackers to steal cookies, perform actions on behalf of the user, or load additional malicious content.

Affected Systems

All WordPress sites running the Simple Link Directory plugin from QuantumCloud version 9.0.4 or earlier are impacted. Sites that rely on the plugin’s option to display custom messages when no results are found must be inspected for this vulnerability.

Risk and Exploitability

With a CVSS score of 5.1 this vulnerability carries a moderate severity. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog, implying no current widespread exploitation reports. The most likely attack path requires an authenticated user with access to modify plugin settings or an attacker able to supply content that influences the sld_no_results_found option. Once stored, the payload is executed for every future visitor without further interaction.

Generated by OpenCVE AI on June 10, 2026 at 22:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Simple Link Directory to version 9.0.5 or later, which removes the unsanitized JavaScript rendering.
  • If the latest version is not available, immediately disable or delete the sld_no_results_found option and restore it to a safe, literal string.
  • If upgrading or disabling is not feasible, temporarily deactivate the plugin on all sites until an official fix is released.

Generated by OpenCVE AI on June 10, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 10 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Simple Link Directory through 9.0.4 interpolates the sld_no_results_found option into a JavaScript string literal without encoding. Because sanitize_text_field leaves quotes intact, a stored payload breaks out of the string and runs script for every page visitor.
Title Simple Link Directory through 9.0.4 Stored XSS via sld_no_results_found Option
First Time appeared Quantumcloud
Quantumcloud simple Link Directory
Weaknesses CWE-79
CPEs cpe:2.3:a:quantumcloud:simple_link_directory:*:*:*:*:*:wordpress:*:*
Vendors & Products Quantumcloud
Quantumcloud simple Link Directory
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Quantumcloud Simple Link Directory
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-10T20:39:45.823Z

Reserved: 2026-06-10T17:16:10.427Z

Link: CVE-2026-53741

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T22:17:02.503

Modified: 2026-06-10T22:17:02.503

Link: CVE-2026-53741

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:00:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')