Description
The Website LLMs.txt plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2026-04-21
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that can be triggered by users with administrator or higher privileges
Action: Apply Patch
AI Analysis

Impact

The Website LLMs.txt plugin contains a stored cross‑site scripting flaw in its admin configuration options. Because input is not properly sanitized and the output is not escaped, an attacker who can authenticate with administrator‑level permissions can inject arbitrary JavaScript into pages that will run whenever other users access those pages. The injected script can steal session cookies, deface content, or redirect users, thereby compromising confidentiality, integrity, and potentially availability of the site’s front end.

Affected Systems

WordPress sites that use the Website LLMs.txt plugin version 8.2.6 or earlier. The vulnerability only applies to multi‑site installations, and to installations where the unfiltered_html capability has been disabled for the administrator role. Users with administrator or higher privileges can trigger the exploit.

Risk and Exploitability

The CVSS score of 4.4 indicates a medium severity risk, but the EPSS score of less than 1% demonstrates that exploitation is currently unlikely. The flaw is not listed in the CISA KEV catalog. The attack requires authenticated access to the plugin’s admin interface, meaning that an attacker must first compromise or be granted administrator credentials. Once an article or page is stored with malicious script, all subsequent visits to that page by any user will execute the script, providing a persistent but localized attack vector.

Generated by OpenCVE AI on April 22, 2026 at 03:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Website LLMs.txt plugin to the latest available version (8.2.7 or later) before the vulnerability is exploited.
  • Review and revoke any unnecessary administrator or higher‑privilege accounts on the WordPress installation.
  • Enable or enforce stricter sanitization and output escaping in the plugin’s settings, or otherwise disable the ability to store user‑supplied scripts in admin pages.

Generated by OpenCVE AI on April 22, 2026 at 03:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Ryhowa
Ryhowa website Llms.txt
Wordpress
Wordpress wordpress
Vendors & Products Ryhowa
Ryhowa website Llms.txt
Wordpress
Wordpress wordpress

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description The Website LLMs.txt plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Website LLMs.txt <= 8.2.6 - Authenticated (Admin+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Ryhowa Website Llms.txt
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-21T13:47:53.867Z

Reserved: 2026-04-20T18:25:58.510Z

Link: CVE-2026-6712

cve-icon Vulnrichment

Updated: 2026-04-21T13:47:44.746Z

cve-icon NVD

Status : Deferred

Published: 2026-04-21T07:16:09.880

Modified: 2026-04-22T20:22:50.570

Link: CVE-2026-6712

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:46:43Z

Weaknesses