CVE-2026-53741 | Simple Link Directory through 9.0.4 interpolates the sld_no_… | CVSS 5.4 MEDIUM

Description

Simple Link Directory through 9.0.4 interpolates the sld_no_results_found option into a JavaScript string literal without encoding. Because sanitize_text_field leaves quotes intact, a stored payload breaks out of the string and runs script for every page visitor.

Metadata

CVE ID: CVE-2026-53741
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-10 17:16 UTC
Published: 2026-06-10 20:39 UTC
Last updated: 2026-06-11 14:41 UTC
Primary CWE: CWE-79
Improper Neutralization of Input During Web Page Generation …
Vendor / Product: quantumcloud / Simple Link Directory
Sources: cve.org · NVD

Severity & Metrics

5.4 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
quantumcloud	Simple Link Directory	—	0 ≤ 9.0.4

Weakness (CWE)

CWE	Source	Description
CWE-79	cna	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS scores (2)

Score	Severity	Version	Source	Vector
5.4	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.1	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References (2)

WordPress Plugin Repository https://wordpress.org/plugins/simple-link-directory/
VulnCheck Advisory: Simple Link Directory through 9.0.4 Stored XSS via sld_no_results_found Option https://www.vulncheck.com/advisories/simple-link-directory-through-stored-xss-via-sld-no-results-found-option