CVE-2026-53742

Vulnerability

Simple Link Directory versions up to and including 9.0.4 are affected by a stored cross-site scripting (XSS) vulnerability. The plugin echoes embed shortcode attributes directly into HTML data attributes within the embedder template without proper escaping. This allows for the injection of malicious code.

Exploitation

An attacker with contributor-level access to a WordPress site using a vulnerable version of Simple Link Directory can exploit this vulnerability. The attacker needs to craft a specific embed shortcode that includes an event handler within one of its attributes. When a user views the page containing this crafted shortcode, the injected event handler will execute in their browser.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of a viewer's browser. This can lead to various malicious actions, such as session hijacking, credential theft, or defacement of the affected page, depending on the injected script.

Mitigation

Users of Simple Link Directory should update to a version later than 9.0.4. A fixed version has been released. No workarounds are specified in the available references. The plugin is still actively supported as of the publication date of this advisory [2].