CVE-2026-27068

The Website LLMs.txt plugin for WordPress versions up to and including 8.2.6 contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw arises from insufficient sanitization of parameters that are reflected back in HTTP responses without proper encoding.

An attacker can exploit this vulnerability by crafting a malicious link containing JavaScript code in a query parameter. Successful exploitation requires tricking a privileged user (e.g., an administrator) into clicking the link or visiting a specially crafted page, fulfilling the requirement for user interaction [1]. This attack vector is particularly concerning because it can be used in mass-exploit campaigns targeting thousands of WordPress sites regardless of their traffic size or popularity [1].

If exploited, an attacker can inject arbitrary HTML and JavaScript into the target website's context, leading to potential redirects, unauthorized advertisements, or other malicious payloads that execute when visitors access the site [1]. This could compromise user sessions, deface the site, or serve as a foothold for further attacks.

The vulnerability has been patched in version 8.2.7 of the plugin. Users are strongly advised to update immediately. For those unable to update, employing a virtual patching solution like Patchstack can provide temporary mitigation until the update is applied [1]. Given the moderate severity (CVSS 7.1) and the potential for automated exploitation, prompt action is recommended.