Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Howard Website LLMs.Txt allows Reflected XSS.This issue affects Website LLMs.Txt: from n/a through 8.2.6.
AnalysisAI
A reflected cross-site scripting (XSS) vulnerability exists in the Website LLMs.Txt WordPress plugin through version 8.2.6, allowing remote attackers to inject malicious scripts into web pages viewed by users. The vulnerability requires user interaction (UI:R) but no authentication (PR:N) and can be exploited over the network with low complexity (AC:L). With a CVSS score of 7.1 and changed scope (S:C), this represents a medium-to-high severity issue that could lead to session hijacking, credential theft, or malicious actions performed in the context of victim users.
Technical ContextAI
This vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a reflected XSS flaw. The Website LLMs.Txt plugin for WordPress fails to properly sanitize user-supplied input before reflecting it back in HTTP responses, allowing attackers to inject arbitrary JavaScript or HTML code. Reflected XSS occurs when malicious input is immediately returned by a web application without proper encoding or validation, typically through URL parameters or form submissions. The affected product is a WordPress plugin developed by Ryan Howard that appears to manage LLMs.txt files for websites, and the lack of input validation in version 8.2.6 and earlier creates an exploitable condition when processing user-controlled data.
RemediationAI
Users of the Website LLMs.Txt plugin should immediately upgrade to a patched version newer than 8.2.6 if available from the plugin developer or WordPress plugin repository. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/website-llms-txt/vulnerability/wordpress-website-llms-txt-plugin-8-2-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for specific patch availability and version information. If an updated version is not yet available, consider temporarily disabling the plugin until a fix is released, especially on production sites with sensitive user data or authenticated operations. As a defense-in-depth measure, implement Content Security Policy (CSP) headers to mitigate XSS impact, enable WordPress security plugins that provide XSS filtering, and educate users about the risks of clicking untrusted links. Web application firewalls (WAF) with XSS detection rules can provide additional protection while awaiting vendor patches.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13089