CVE-2026-53741
Deferred Deferred - Pending Action

Stored Cross-Site Scripting in Simple Link Directory Plugin

Vulnerability report for CVE-2026-53741, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VulnCheck

Description

Simple Link Directory through 9.0.4 interpolates the sld_no_results_found option into a JavaScript string literal without encoding. Because sanitize_text_field leaves quotes intact, a stored payload breaks out of the string and runs script for every page visitor.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Simple Link Directory through version 9.0.4. It occurs because the sld_no_results_found option is inserted into a JavaScript string literal without proper encoding. The function sanitize_text_field does not remove quotes, which allows a stored malicious payload to break out of the string context and execute arbitrary script code for every visitor of the page.

Impact Analysis

The vulnerability allows an attacker to inject and execute arbitrary JavaScript code on every page visit. This can lead to cross-site scripting (XSS) attacks, potentially compromising user data, session tokens, or performing actions on behalf of users without their consent.

Detection Guidance

This vulnerability is a stored cross-site scripting (XSS) issue in the Simple Link Directory plugin up to version 9.0.4, caused by improper encoding of the sld_no_results_found option in JavaScript.

To detect this vulnerability on your system, you can check if your WordPress installation uses the Simple Link Directory plugin version 9.0.4 or earlier.

You can also inspect the JavaScript code on pages using the plugin to see if the sld_no_results_found option is interpolated without proper encoding, which may allow script injection.

While no specific commands are provided in the resources, general detection steps include:

  • Use WP-CLI to check the installed plugin version: `wp plugin list --format=json | jq '.[] | select(.name=="simple-link-directory")'`
  • Manually review or grep plugin files for usage of `sld_no_results_found` in JavaScript contexts: `grep -r "sld_no_results_found" wp-content/plugins/simple-link-directory/`
  • Use a web vulnerability scanner or browser developer tools to inspect if any injected scripts run on pages using the plugin.
Mitigation Strategies

To mitigate this stored XSS vulnerability in Simple Link Directory, the immediate step is to update the plugin to a version later than 9.0.4 where the issue is fixed.

If an update is not immediately available, consider disabling or removing the plugin until a patch is released.

Additionally, review and sanitize any user input or options related to sld_no_results_found to ensure no malicious scripts can be injected.

Implementing a Web Application Firewall (WAF) that can detect and block XSS payloads may also help reduce risk temporarily.

Compliance Impact

The provided information does not specify how the CVE-2026-53741 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53741. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart