CVE-2026-53741

Vulnerability

Simple Link Directory versions up to and including 9.0.4 are affected by a stored cross-site scripting (XSS) vulnerability. The sld_no_results_found option is interpolated into a JavaScript string literal without proper encoding. The sanitize_text_field function fails to remove quotes, allowing a stored payload to break out of the string context.

Exploitation

An attacker with the ability to configure plugin settings can inject a malicious payload into the sld_no_results_found option. This payload will execute as JavaScript within the context of any user viewing a page where this option is displayed, requiring no user interaction beyond visiting the affected page.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any visitor to the affected pages. This can lead to session hijacking, information disclosure, or redirection to malicious sites, impacting the confidentiality and integrity of user data and the site itself.

Mitigation

There is currently no specific patched version mentioned in the available references. Users are advised to check for updates from the plugin developer. If a patch is not available, disabling or removing the plugin may be necessary to prevent exploitation. The plugin is listed as Simple Link Directory [2].