The CVE identifies an Improper Neutralization of Input During Web Page Generation flaw that allows reflected XSS in the Website LLMs.txt plugin. This means user‑supplied data can be echoed back into a page without proper sanitization, exposing the site to arbitrary script execution in a visitor’s browser. Typical consequences of such a flaw could include hijacking user sessions or stealing credentials, but the CVE description does not explicitly state these outcomes, so the impact is inferred from the nature of XSS.

WordPress sites operating the Website LLMs.txt plugin by Ryan Howard are affected. Versions from the earliest releases through 8.2.6 are vulnerable; any site running one of those releases requires attention.

The vulnerability can be triggered remotely by supplying crafted input that the plugin reflects back, likely via URLs or form fields, and it requires no authentication. The EPSS score is below 1 %, indicating a low reported likelihood of exploitation, and the flaw is not listed in CISA’s KEV catalog. Despite the low exploitation probability, a reflected XSS flaw can be weaponized through social engineering or malicious links, so guard against the potential for script injection should the plugin remain unpatched.