Simple Link Directory Pro Vulnerability (Medium) – CVE-2025-32296

Simple Link Directory Pro Vulnerability (Medium) – CVE-2025-32296

by | Feb 26, 2026 | Plugins

Attack Vectors

CVE-2025-32296 is a Medium severity (CVSS 5.3) missing-authorization issue affecting Simple Link Directory Pro (WordPress plugin slug: qc-simple-link-directory) in all versions prior to 14.8.1.

Because the weakness can be exploited without authentication (per the CVSS vector), an external attacker on the internet may be able to trigger the affected functionality remotely—without needing a user account and without requiring any user interaction.

Reference: CVE record and Wordfence advisory.

Security Weakness

The plugin is reported to have a missing capability check on a function, meaning the site does not reliably confirm that the requester is allowed to perform the action before it is executed. In WordPress terms, this is an authorization control gap (often described as “missing authorization”).

When authorization checks are absent or incomplete, attackers can sometimes reach administrative or management functions that were intended only for logged-in users, enabling unauthorized actions on the site.

Technical or Business Impacts

The disclosed impact is that an unauthenticated attacker can perform an unauthorized action. Even when the CVSS rating is Medium and confidentiality impact is listed as none, this type of control failure can still create meaningful business risk: unexpected changes to site behavior, operational disruption, or downstream brand/reputation issues if site content or functionality is altered.

For marketing, brand, and compliance stakeholders, the key concern is governance: if a public, unauthenticated request can invoke privileged plugin functionality, it can undermine confidence in the integrity of web content and reporting. This can also increase incident-response time and cost, especially if you must prove what did (or did not) change during a campaign or reporting period.

Remediation: Update Simple Link Directory Pro to version 14.8.1 or a newer patched version, as recommended by the advisory.

Similar Attacks

Authorization bypass and missing-authorization flaws are common across many products and have been used in real-world incidents. Examples include:

CVE-2023-20198 (Cisco IOS XE Web UI authentication bypass)
CVE-2022-1388 (F5 BIG-IP iControl REST authentication bypass)
CVE-2019-11510 (Pulse Secure VPN pre-auth file read)

Vantage Vulnerability (Medium) – CVE-2026-5070

by

Attack Vectors CVE-2026-5070 is a Medium severity vulnerability (CVSS 6.4) affecting the Vantage WordPress theme (slug: vantage) in versions up to and including 1.20.32. It enables authenticated users with Contributor access or higher to inject malicious script into a...

WP Docs Vulnerability (Medium) – CVE-2026-3878

by

Attack Vectors CVE-2026-3878 is a Medium severity Stored Cross-Site Scripting (XSS) vulnerability (CVSS 6.4) affecting the WP Docs WordPress plugin (wp-docs) in versions 2.2.9 and below. The issue is exploitable by an authenticated user with Subscriber-level access or...

Recent Comments

    WPFore Subscribers