{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27068", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:42.768Z", "datePublished": "2026-03-19T08:42:37.658Z", "dateUpdated": "2026-04-28T16:15:01.020Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "website-llms-txt", "product": "Website LLMs.txt", "vendor": "Ryan Howard", "versions": [{"changes": [{"at": "8.2.7", "status": "unaffected"}], "lessThanOrEqual": "8.2.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "benzdeus | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:44:02.792Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Howard Website LLMs.txt website-llms-txt allows Reflected XSS.<p>This issue affects Website LLMs.txt: from n/a through <= 8.2.6.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Howard Website LLMs.txt website-llms-txt allows Reflected XSS.This issue affects Website LLMs.txt: from n/a through <= 8.2.6."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:01.020Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/website-llms-txt/vulnerability/wordpress-website-llms-txt-plugin-8-2-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Website LLMs.txt plugin <= 8.2.6 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27068", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T13:49:36.391557Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T15:55:59.903Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27068", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T13:49:36.391557Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:50:02.766Z"}}], "cna": {"title": "WordPress Website LLMs.txt plugin <= 8.2.6 - Reflected Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "benzdeus | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Ryan Howard", "product": "Website LLMs.txt", "versions": [{"status": "affected", "changes": [{"at": "8.2.7", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "8.2.6"}], "packageName": "website-llms-txt", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:31.526Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/website-llms-txt/vulnerability/wordpress-website-llms-txt-plugin-8-2-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Howard Website LLMs.txt website-llms-txt allows Reflected XSS.This issue affects Website LLMs.txt: from n/a through <= 8.2.6.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Howard Website LLMs.txt website-llms-txt allows Reflected XSS.<p>This issue affects Website LLMs.txt: from n/a through <= 8.2.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:10.331Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27068", "state": "PUBLISHED", "dateUpdated": "2026-04-24T15:55:59.903Z", "dateReserved": "2026-02-17T13:23:42.768Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-19T08:42:37.658Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Howard Website LLMs.txt website-llms-txt allows Reflected XSS.This issue affects Website LLMs.txt: from n/a through <= 8.2.6."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en Ryan Howard Website LLMs.Txt permite XSS Reflejado. Este problema afecta a Website LLMs.Txt: desde n/a hasta 8.2.6."}], "id": "CVE-2026-27068", "lastModified": "2026-04-23T15:37:15.803", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-19T09:16:18.157", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/website-llms-txt/vulnerability/wordpress-website-llms-txt-plugin-8-2-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.2.6]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[8.2.7,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Website LLMs.txt", "source": "cna", "vendor": "Ryan Howard"}, "product": "website_llms.txt", "vendor": "ryan_howard"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T17:23:03.599072+00:00", "value": {"mitigation_remediation": ["Upgrade the Website LLMs.txt plugin to the latest available version from the developer\u2019s site, which removes the reflected XSS flaw. If a patch is not immediately available, consider temporarily disabling the plugin or blocking its input mechanisms until an official fix is released.", "Add a Content Security Policy header that disallows inline JavaScript execution on pages served by the plugin, reducing the risk of successful XSS injection.", "If the plugin cannot be disabled, use role\u2011based access controls or IP restrictions to limit usage of its input features until a patch is applied."], "summary": {"action": "Update", "impact": "Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "WordPress sites operating the Website LLMs.txt plugin by Ryan Howard are affected. Versions from the earliest releases through 8.2.6 are vulnerable; any site running one of those releases requires attention.", "description_and_impact": "The CVE identifies an Improper Neutralization of Input During Web Page Generation flaw that allows reflected XSS in the Website LLMs.txt plugin. This means user\u2011supplied data can be echoed back into a page without proper sanitization, exposing the site to arbitrary script execution in a visitor\u2019s browser. Typical consequences of such a flaw could include hijacking user sessions or stealing credentials, but the CVE description does not explicitly state these outcomes, so the impact is inferred from the nature of XSS.", "risk_and_exploitability": "The vulnerability can be triggered remotely by supplying crafted input that the plugin reflects back, likely via URLs or form fields, and it requires no authentication. The EPSS score is below 1\u202f%, indicating a low reported likelihood of exploitation, and the flaw is not listed in CISA\u2019s KEV catalog. Despite the low exploitation probability, a reflected XSS flaw can be weaponized through social engineering or malicious links, so guard against the potential for script injection should the plugin remain unpatched. The CVSS score of 7.1 signifies a high severity level for this vulnerability."}}}}, "created": "2026-03-20T08:57:00.259469+00:00", "updated": "2026-04-28T17:30:10.620181+00:00", "vendors": ["ryan_howard", "ryan_howard$PRODUCT$website_llms.txt", "wordpress", "wordpress$PRODUCT$wordpress"]}