Description
Simple Link Directory through 9.0.4 echoes embed shortcode attributes into HTML data attributes without escaping in the embedder template. Attackers with contributor access can craft a shortcode attribute that injects an event handler executing in a viewer's browser.
Published: 2026-06-10
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker who has contributor‑level access to embed a malicious value within a shortcode attribute. The plugin echoes this attribute directly into an HTML data attribute without escaping, enabling the injection of an event handler that runs arbitrary JavaScript when the page loads. This flaw can lead to the execution of code in the authenticated or unauthenticated user’s browser, potentially exposing session cookies, theft of personal information, or defacement of the site.

Affected Systems

QuantumCloud’s Simple Link Directory plugin, versions up to and including 9.0.4, is affected when installed on WordPress sites. Users of any WordPress installation running this plugin version could be impacted.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. Exploitation requires only that the attacker can obtain contributor privileges, which are typically granted to trusted users or developers, making the risk moderate but real. No EPSS score is available, and the vulnerability is not listed in CISA KEV. An attacker can achieve the attack by creating or editing a link entry and inserting malicious code into the shortcode attribute, which is then reflected in the public page for any visitors.

Generated by OpenCVE AI on June 10, 2026 at 22:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch for Simple Link Directory (version 9.0.5 or later).
  • Restrict contributor privileges to users who are trusted and required for content creation.
  • Disable or remove the affected shortcode functionality if it is not needed for site operation.

Generated by OpenCVE AI on June 10, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 10 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Simple Link Directory through 9.0.4 echoes embed shortcode attributes into HTML data attributes without escaping in the embedder template. Attackers with contributor access can craft a shortcode attribute that injects an event handler executing in a viewer's browser.
Title Simple Link Directory through 9.0.4 Stored XSS via Embed Shortcode Attributes
First Time appeared Quantumcloud
Quantumcloud simple Link Directory
Weaknesses CWE-79
CPEs cpe:2.3:a:quantumcloud:simple_link_directory:*:*:*:*:*:wordpress:*:*
Vendors & Products Quantumcloud
Quantumcloud simple Link Directory
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Quantumcloud Simple Link Directory
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-10T20:39:46.549Z

Reserved: 2026-06-10T17:16:10.427Z

Link: CVE-2026-53742

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T22:17:02.640

Modified: 2026-06-10T22:17:02.640

Link: CVE-2026-53742

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:45:43Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')