Medium severity6.4NVD Advisory· Published May 2, 2026· Updated May 5, 2026
CVE-2026-7209
CVE-2026-7209
Description
The Simple Link Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's qcopd-directory shortcode in all versions up to, and including, 8.9.2. This is due to insufficient input sanitization and output escaping on user supplied attributes such as title_font_size. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=8.9.2
Patches
Vulnerability mechanics
References
6- plugins.trac.wordpress.org/browser/simple-link-directory/tags/8.9.2/qc-op-directory-shortcodes.phpnvd
- plugins.trac.wordpress.org/browser/simple-link-directory/tags/8.9.2/templates/style-1/template.phpnvd
- plugins.trac.wordpress.org/browser/simple-link-directory/tags/8.9.4/qc-op-directory-shortcodes.phpnvd
- plugins.trac.wordpress.org/browser/simple-link-directory/tags/8.9.4/qc-op-directory-shortcodes.phpnvd
- wordpress.org/plugins/simple-link-directorynvd
- www.wordfence.com/threat-intel/vulnerabilities/id/9a7ca5f6-89c0-49ce-9aef-2208365c6151nvd
News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 27, 2026 to May 3, 2026)Wordfence Blog · May 7, 2026