CVE-2026-7209

Name of the Vulnerable Software and Affected Versions Simple Link Directory versions prior to 8.9.3

Description The Simple Link Directory plugin for WordPress contains a Stored Cross-Site Scripting issue. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages. This occurs because the qcopd-directory shortcode does not sufficiently sanitize input or escape output for user-supplied attributes, specifically the title font size variable. These scripts execute whenever a user visits the affected page.

Recommendations Update the plugin to a version later than 8.9.2. As a temporary workaround, restrict the use of the title font size attribute within the qcopd-directory shortcode for users with contributor-level access.