Skip to main content

Ryan Howard Website LLMs.Txt EUVDEUVD-2026-13089

| CVE-2026-27068 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-19 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 16:12 vuln.today
cvss_changed
EUVD ID Assigned
Mar 19, 2026 - 09:22 euvd
EUVD-2026-13089
Analysis Generated
Mar 19, 2026 - 09:22 vuln.today
CVE Published
Mar 19, 2026 - 09:16 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Howard Website LLMs.Txt allows Reflected XSS.This issue affects Website LLMs.Txt: from n/a through 8.2.6.

AnalysisAI

A reflected cross-site scripting (XSS) vulnerability exists in the Website LLMs.Txt WordPress plugin through version 8.2.6, allowing remote attackers to inject malicious scripts into web pages viewed by users. The vulnerability requires user interaction (UI:R) but no authentication (PR:N) and can be exploited over the network with low complexity (AC:L). With a CVSS score of 7.1 and changed scope (S:C), this represents a medium-to-high severity issue that could lead to session hijacking, credential theft, or malicious actions performed in the context of victim users.

Technical ContextAI

This vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a reflected XSS flaw. The Website LLMs.Txt plugin for WordPress fails to properly sanitize user-supplied input before reflecting it back in HTTP responses, allowing attackers to inject arbitrary JavaScript or HTML code. Reflected XSS occurs when malicious input is immediately returned by a web application without proper encoding or validation, typically through URL parameters or form submissions. The affected product is a WordPress plugin developed by Ryan Howard that appears to manage LLMs.txt files for websites, and the lack of input validation in version 8.2.6 and earlier creates an exploitable condition when processing user-controlled data.

RemediationAI

Users of the Website LLMs.Txt plugin should immediately upgrade to a patched version newer than 8.2.6 if available from the plugin developer or WordPress plugin repository. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/website-llms-txt/vulnerability/wordpress-website-llms-txt-plugin-8-2-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for specific patch availability and version information. If an updated version is not yet available, consider temporarily disabling the plugin until a fix is released, especially on production sites with sensitive user data or authenticated operations. As a defense-in-depth measure, implement Content Security Policy (CSP) headers to mitigate XSS impact, enable WordPress security plugins that provide XSS filtering, and educate users about the risks of clicking untrusted links. Web application firewalls (WAF) with XSS detection rules can provide additional protection while awaiting vendor patches.

Share

EUVD-2026-13089 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy