The vulnerability CVE-2025-48297 affects the Simple Link Directory plugin by quantumcloud, where insufficient input sanitization during web page generation enables reflected cross-site scripting (XSS). This allows an attacker to craft malicious URLs that, when visited by a user, execute arbitrary scripts in the victim's browser session. The CVSS 3.1 base score is 7.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction needed, scope change, and impacts on confidentiality, integrity, and availability at low levels. The affected versions include all versions prior to 14.8.1. No patch or vendor advisory is currently provided.

Successful exploitation of this reflected XSS vulnerability can lead to limited disclosure of information, modification of data within the user's browser context, and potential disruption of availability for the affected web application interface. The attack requires user interaction (clicking a crafted link) and can affect users of the vulnerable Simple Link Directory plugin. There are no reports of active exploitation in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should exercise caution with untrusted input and consider implementing web application firewall (WAF) rules to detect and block reflected XSS attempts. Monitor vendor channels for updates regarding patches or official mitigations.