プラットフォーム
wordpress
コンポーネント
website-llms-txt
修正版
8.2.7
CVE-2026-27068 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in the Website LLMs.txt WordPress plugin. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability impacts versions from 0.0.0 up to and including 8.2.6, but a patch is available in version 8.2.7.
Successful exploitation of this Reflected XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can be leveraged to steal sensitive information like cookies and session tokens, enabling account takeover. Attackers could also redirect users to malicious websites, deface the website, or inject malware. The impact is amplified if the website handles sensitive user data or financial transactions, as an attacker could gain access to this information. While the vulnerability is reflected, meaning it requires user interaction (clicking a malicious link), the potential for widespread impact remains significant, especially if the plugin is widely deployed.
CVE-2026-27068 was publicly disclosed on 2026-03-19. No public proof-of-concept exploits have been identified at the time of writing, but the ease of exploitation for Reflected XSS vulnerabilities means it's likely to become a target. The EPSS score is likely to be medium, indicating a moderate probability of exploitation given the vulnerability's nature and public disclosure. It is not currently listed on the CISA KEV catalog.
Websites utilizing the Website LLMs.txt plugin, particularly those handling sensitive user data or financial transactions, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromised website could potentially be used to attack other websites on the same server.
• wordpress / composer / npm:
grep -r '<script>' /var/www/html/wp-content/plugins/website-llms-txt/• generic web:
curl -I https://example.com/?param=<script>alert(1)</script>• wordpress / composer / npm:
wp plugin list --status=inactive• wordpress / composer / npm:
wp plugin update website-llms-txtdisclosure
エクスプロイト状況
EPSS
0.04% (11% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-27068 is to immediately upgrade the Website LLMs.txt plugin to version 8.2.7 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious input. Specifically, look for patterns associated with XSS payloads, such as <script> tags or event handlers. Additionally, carefully sanitize all user-supplied input before rendering it on the website to prevent further XSS vulnerabilities. After upgrading, confirm the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) through the vulnerable input field and verifying that the script is not executed.
Update to version 8.2.7, or a newer patched version
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-27068 is a Reflected XSS vulnerability in the Website LLMs.txt WordPress plugin, allowing attackers to inject malicious scripts. It has a CVSS score of 7.1 (HIGH).
You are affected if you are using Website LLMs.txt versions 0.0.0 through 8.2.6. Upgrade to 8.2.7 or later to mitigate the risk.
Upgrade the Website LLMs.txt plugin to version 8.2.7 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
While no public exploits are currently known, the ease of exploitation for Reflected XSS vulnerabilities suggests it may become a target.
Refer to the official Website LLMs.txt plugin repository or WordPress.org plugin page for the latest advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。