CVE-2026-53741

MEDIUM NVD

CVSS Score 5.4

Severity MEDIUM

Published Jun 10, 2026

Vendor unknown

Description

Simple Link Directory through 9.0.4 interpolates the sld_no_results_found option into a JavaScript string literal without encoding. Because sanitize_text_field leaves quotes intact, a stored payload breaks out of the string and runs script for every page visitor.

References

https://wordpress.org/plugins/simple-link-directory/
https://www.vulncheck.com/advisories/simple-link-directory-through-stored-xss-via-sld-no-results-found-option