Description
The Website LLMs.txt plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 8.2.6. This is due to the use of filter_input() without a sanitization filter and insufficient output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
Published: 2026-04-21
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Website LLMs.txt plugin for WordPress is vulnerable to reflected XSS because it processes the 'tab' parameter with filter_input() without sanitization and fails to escape output. An unauthenticated attacker can inject arbitrary JavaScript that will execute in a browser when a page containing the reflected value is loaded, enabling session hijacking, data theft, or defacement. This flaw is classified as CWE‑79 and affects only the reflection of user input.

Affected Systems

The vulnerability applies to the Website LLMs.txt plugin developed by ryhowa and is present in all WordPress installations running version 8.2.6 or earlier. No other vendors or product variants are mentioned.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The flaw is not listed in the CISA KEV catalog. Attackers can exploit this vulnerability by crafting a malicious URL that includes a payload in the 'tab' parameter and persuading a site administrator to click the link, such as via phishing or social engineering. No authentication is required to trigger the reflected script, but successful execution could grant the attacker the privileges of the administrator who loads the page.

Generated by OpenCVE AI on April 21, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Website LLMs.txt plugin to the latest available version (greater than 8.2.6) which removes the unsanitized parameter handling.
  • If upgrading is not immediately possible, modify server-side code or configuration to HTML‑escape the 'tab' query parameter before output, or otherwise prevent it from being reflected.
  • Implement a web application firewall rule that rejects or sanitizes suspicious script content in GET parameters to reduce the risk of accidental execution when an admin clicks a malicious link.

Generated by OpenCVE AI on April 21, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Ryhowa
Ryhowa website Llms.txt
Wordpress
Wordpress wordpress
Vendors & Products Ryhowa
Ryhowa website Llms.txt
Wordpress
Wordpress wordpress

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description The Website LLMs.txt plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 8.2.6. This is due to the use of filter_input() without a sanitization filter and insufficient output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
Title Website LLMs.txt <= 8.2.6 - Reflected Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Ryhowa Website Llms.txt
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-21T13:51:33.148Z

Reserved: 2026-04-20T18:23:59.647Z

Link: CVE-2026-6711

cve-icon Vulnrichment

Updated: 2026-04-21T13:51:28.856Z

cve-icon NVD

Status : Deferred

Published: 2026-04-21T07:16:09.743

Modified: 2026-04-22T20:22:50.570

Link: CVE-2026-6711

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:46:42Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')