CVE-2026-7209 - Vulnerability Details

Description

The Simple Link Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `qcopd-directory` shortcode in all versions up to, and including, 8.9.2. This is due to insufficient input sanitization and output escaping on user supplied attributes such as `title_font_size`. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2026-05-02

Score: 6.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Simple Link Directory WordPress plugin contains a stored XSS flaw triggered via the `qcopd-directory` shortcode’s attributes such as title_font_size. Because the plugin fails to properly sanitize and escape user input, an authenticated contributor or higher can inject arbitrary JavaScript that executes on any page displaying the injected shortcode. This flaw can lead to session hijacking, defacement, or other malicious client‑side actions. The weakness is classified as CWE‑79.

Affected Systems

All installations of the Simple Link Directory plugin from the earliest release up through version 8.9.2 are affected. The plugin is supplied by quantumcloud for WordPress. Versions from 8.9.3 onward contain the fix, so any site still using 8.9.2 or earlier is at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.4, indicating moderate severity. No EPSS data is available, and the flaw is not listed in the CISA KEV catalog. Exploitation requires a user to have contributor‑level or higher access to add or edit the shortcode, which is a fairly common permission in many sites. Once the attacker injects the payload, it persists until the corresponding shortcode is removed or the plugin is updated. The attack can be performed by any authenticated user with sufficient privileges and would affect all visitors who load the affected page.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

quantumcloud

Simple Link Directory

unaffected

Version	Status	Constraints
`0`	affected	≤ 8.9.2

No data.

Vendor Product Confidence Versions

Quantumcloud

Simple Link Directory

100%

Version	Status	Scheme	Platform
`[0,8.9.2]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Simple Link Directory plugin to version 8.9.4 or later, which includes the fix for the stored XSS vulnerability.
If an immediate upgrade is not possible, immediately revoke contributor or higher roles from the ability to edit or add the `qcopd-directory` shortcode, or disable the plugin entirely in the production environment.
As a temporary safeguard, manually verify that all shortcode attributes are properly escaped; consider using a security plugin that performs input sanitization or blocks XSS payloads before they reach the shortcode rendering process.

Generated by OpenCVE AI on May 2, 2026 at 06:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/simple-link-directory/tags/8.9.2/qc-op-directory-shortcodes.php#L88
https://plugins.trac.wordpress.org/browser/simple-link-directory/tags/8.9.2/templates/style-1/template.php#L118
https://plugins.trac.wordpress.org/browser/simple-link-directory/tags/8.9.4/qc-op-directory-shortcodes.php#L116
https://plugins.trac.wordpress.org/browser/simple-link-directory/tags/8.9.4/qc-op-directory-shortcodes.php#L145
https://wordpress.org/plugins/simple-link-directory
https://www.wordfence.com/threat-intel/vulnerabilities/id/9a7ca5f6-89c0-49ce-9aef-2208365c6151?source=cve

History

Sat, 02 May 2026 05:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Quantumcloud Quantumcloud simple Link Directory Wordpress Wordpress wordpress
Vendors & Products		Quantumcloud Quantumcloud simple Link Directory Wordpress Wordpress wordpress

Sat, 02 May 2026 04:15:00 +0000

Type	Values Removed	Values Added
Description		The Simple Link Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `qcopd-directory` shortcode in all versions up to, and including, 8.9.2. This is due to insufficient input sanitization and output escaping on user supplied attributes such as `title_font_size`. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		Simple Link Directory <= 8.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/simple-link-directory/tags/8.9.2/qc-op-directory-shortcodes.php#L88 https://plugins.trac.wordpress.org/browser/simple-link-directory/tags/8.9.2/templates/style-1/template.php#L118 https://plugins.trac.wordpress.org/browser/simple-link-directory/tags/8.9.4/qc-op-directory-shortcodes.php#L116 https://plugins.trac.wordpress.org/browser/simple-link-directory/tags/8.9.4/qc-op-directory-shortcodes.php#L145 https://wordpress.org/plugins/simple-link-directory https://www.wordfence.com/threat-intel/vulnerabilities/id/9a7ca5f6-89c0-49ce-9aef-2208365c6151?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Quantumcloud Simple Link Directory

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-02T03:36:43.260Z

Updated: 2026-05-02T03:36:43.260Z

Reserved: 2026-04-27T14:43:03.729Z

Link: CVE-2026-7209

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-02T04:16:23.453

Modified: 2026-05-02T04:16:23.453

Link: CVE-2026-7209

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T07:00:06Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object