Platform
wordpress
Component
website-llms-txt
Fixed in
8.2.7
CVE-2026-27068 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in the Website LLMs.txt WordPress plugin. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability impacts versions from 0.0.0 up to and including 8.2.6, but a patch is available in version 8.2.7.
Successful exploitation of this Reflected XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can be leveraged to steal sensitive information like cookies and session tokens, enabling account takeover. Attackers could also redirect users to malicious websites, deface the website, or inject malware. The impact is amplified if the website handles sensitive user data or financial transactions, as an attacker could gain access to this information. While the vulnerability is reflected, meaning it requires user interaction (clicking a malicious link), the potential for widespread impact remains significant, especially if the plugin is widely deployed.
CVE-2026-27068 was publicly disclosed on 2026-03-19. No public proof-of-concept exploits have been identified at the time of writing, but the ease of exploitation for Reflected XSS vulnerabilities means it's likely to become a target. The EPSS score is likely to be medium, indicating a moderate probability of exploitation given the vulnerability's nature and public disclosure. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27068 is to immediately upgrade the Website LLMs.txt plugin to version 8.2.7 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious input. Specifically, look for patterns associated with XSS payloads, such as <script> tags or event handlers. Additionally, carefully sanitize all user-supplied input before rendering it on the website to prevent further XSS vulnerabilities. After upgrading, confirm the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) through the vulnerable input field and verifying that the script is not executed.
Update to version 8.2.7, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27068 is a Reflected XSS vulnerability in the Website LLMs.txt WordPress plugin, allowing attackers to inject malicious scripts. It has a CVSS score of 7.1 (HIGH).
You are affected if you are using Website LLMs.txt versions 0.0.0 through 8.2.6. Upgrade to 8.2.7 or later to mitigate the risk.
Upgrade the Website LLMs.txt plugin to version 8.2.7 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
While no public exploits are currently known, the ease of exploitation for Reflected XSS vulnerabilities suggests it may become a target.
Refer to the official Website LLMs.txt plugin repository or WordPress.org plugin page for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.