[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f22YSReXtl6Wg1hnkcM-8tmioBK5q3kYh9oN-Ehr_lHs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-6711","website-llmstxt-reflected-cross-site-scripting-2","Website LLMs.txt \u003C= 8.2.6 - Reflected Cross-Site Scripting","The Website LLMs.txt plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 8.2.6. This is due to the use of filter_input() without a sanitization filter and insufficient output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.","website-llms-txt",null,"\u003C=8.2.6","8.2.7","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-20 00:00:00","2026-04-21 06:44:02",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff5af155b-b65e-4cb1-a748-fc0fc5c6176d?source=api-prod",1,[22,23,24,25],"README.txt","admin\u002Fadmin-page.php","includes\u002Fclass-llms-generator.php","website-llms-txt.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-6711 - Reflected XSS in Website LLMs.txt\n\n## 1. Vulnerability Summary\nThe **Website LLMs.txt** plugin for WordPress (versions \u003C= 8.2.6) contains a reflected Cross-Site Scripting (XSS) vulnerability in its administrative settings page. The vulnerability exists because the plugin retrieves the `tab` GET parameter using `filter_input(INPUT_GET, 'tab')` without specifying a sanitization filter (defaulting to `FILTER_DEFAULT`, which does not strip HTML tags or attributes) and subsequently echoes this value back into the HTML document without appropriate output escaping (like `esc_attr()` or `esc_html()`).\n\n## 2. Attack Vector Analysis\n- **Target Page**: The plugin's settings page in the WordPress admin dashboard.\n- **Endpoint**: `\u002Fwp-admin\u002Foptions-general.php` or `\u002Fwp-admin\u002Ftools.php` (depending on which menu the plugin registers under).\n- **Vulnerable Parameter**: `tab` (GET parameter).\n- **Authentication Requirement**: The victim must be a logged-in Administrator (or a user with the `manage_options` capability) because the vulnerable code resides in the admin area.\n- **Preconditions**: The attacker must trick the administrator into clicking a malicious link (Reflected XSS).\n\n## 3. Code Flow\n1. **Entry Point**: A user (administrator) navigates to `wp-admin\u002Foptions-general.php?page=website-llms-txt&tab=[PAYLOAD]`.\n2. **Input Retrieval**: In `admin\u002Fadmin-page.php` (or the core class loading it), the plugin likely performs a check like:\n ```php\n $active_tab = filter_input(INPUT_GET, 'tab'); \n ```\n *Note: In PHP, `filter_input` with two arguments defaults to the raw string if no filter is provided.*\n3. **Vulnerable Sink**: Later in the same file, the `$active_tab` variable is used to construct navigation tabs or hidden inputs without escaping:\n ```php\n \u002F\u002F Likely vulnerable pattern (inferred from description)\n echo '\u003Ca href=\"?page=website-llms-txt&tab=' . $active_tab . '\">Tab Name\u003C\u002Fa>';\n ```\n4. **Execution**: The browser renders the malicious HTML, executing the payload in the context of the administrator's session.\n\n## 4. Nonce Acquisition Strategy\nReflected XSS vulnerabilities in GET parameters typically **do not require nonces** for the initial reflection to occur, as the `tab` parameter is usually used for UI state rather than state-changing actions. The page itself is accessed via a standard menu link.\n\n- **Nonce Check**: The provided `admin\u002Fadmin-page.php` code shows nonces are checked for `cache_cleared` and `settings-updated` actions, but there is no nonce check required just to render the settings page or process the `tab` parameter.\n- **Bypass**: None needed for reflection.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate script execution in the admin dashboard.\n\n1. **Identify Admin Slug**: Confirm the exact URL for the settings page. Based on `README.txt`, it is under \"Settings\". The slug is likely `website-llms-txt`.\n2. **Payload Construction**: Use a payload that breaks out of an HTML attribute (most likely an `href` or `class` attribute in a tab list).\n - Payload: `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n3. **HTTP Request**:\n - **Tool**: `http_request` (as an administrator).\n - **Method**: `GET`\n - **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Foptions-general.php?page=website-llms-txt&tab=%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E`\n4. **Alternative Payload** (if inside a `value` attribute):\n - Payload: `\" autofocus onfocus=\"alert(1)`\n\n## 6. Test Data Setup\n1. **Install and Activate**: Ensure the \"Website LLMs.txt\" plugin version 8.2.6 is installed and activated.\n2. **User**: Create or use an existing Administrator user account.\n3. **Session**: Log in as the administrator to obtain a valid session cookie for the `http_request` tool.\n\n## 7. Expected Results\n- The HTTP response body will contain the literal string `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>` inside an HTML attribute or tag, unescaped.\n- When viewed in a browser via the PoC agent, a JavaScript alert dialog showing the site domain will appear.\n\n## 8. Verification Steps\n1. **Source Inspection**: Use the `http_request` tool to fetch the settings page with a unique canary in the `tab` parameter.\n - Request: `GET \u002Fwp-admin\u002Foptions-general.php?page=website-llms-txt&tab=canary_xss_test`\n - Verification: Search the response for `canary_xss_test`. Check if it is wrapped in `esc_attr()` (e.g., `value=\"canary_xss_test\"`) or if it's raw.\n2. **Browser Confirmation**: Use `browser_navigate` to the malicious URL and check for the execution of JavaScript (e.g., checking for a global variable set by the script).\n\n## 9. Alternative Approaches\n- **Lesser Privileges**: Check if the page is accessible to \"Editors\" or \"Authors\". If so, the XSS impact remains but the target pool is larger.\n- **Admin Takeover Payload**: If `alert()` works, replace the payload with a script that uses the administrator's `_wpnonce_create-user` (extracted from `\u002Fwp-admin\u002Fuser-new.php`) to create a new administrator account.\n- **Payload Path**: If `options-general.php` returns 404 for that page, try `tools.php?page=llms-file-manager` or `admin.php?page=website-llms-txt`. (The redirect in `includes\u002Fclass-llms-generator.php` to `tools.php` strongly suggests checking the Tools menu).","The Website LLMs.txt plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the 'tab' parameter in versions up to and including 8.2.6. This occurs because the plugin uses filter_input() without a sanitization filter and outputs the resulting value directly into an HTML class attribute without proper escaping.","\u002F\u002F admin\u002Fadmin-page.php\n\n\u003C?php\n $tab = filter_input(INPUT_GET,'tab');\n?>\n\u003Cdiv class=\"card-column\">\n \u003Cdiv class=\"card \u003C?php echo $tab; ?>\">","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebsite-llms-txt\u002F8.2.6\u002Fadmin\u002Fadmin-page.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebsite-llms-txt\u002F8.2.7\u002Fadmin\u002Fadmin-page.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebsite-llms-txt\u002F8.2.6\u002Fadmin\u002Fadmin-page.php\t2026-02-11 11:25:06.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebsite-llms-txt\u002F8.2.7\u002Fadmin\u002Fadmin-page.php\t2026-03-13 18:44:40.000000000 +0000\n@@ -75,7 +75,7 @@\n \u003Cdiv id=\"llms-post-types-sortable\" class=\"sortable-list\">\n \u003C?php\n $post_types = get_post_types(array('public' => true), 'objects');\n- $ordered_types = array_flip($settings['post_types']); \u002F\u002F Create lookup array\n+ $ordered_types = array_flip($settings['post_types'] ?? []); \u002F\u002F Create lookup array\n $unordered_types = array(); \u002F\u002F For types not in the current order\n \n \u002F\u002F Separate ordered and unordered post types\n@@ -99,7 +99,7 @@\n \u003Cdiv class=\"sortable-item active\" data-post-type=\"\u003C?php echo esc_attr($post_type->name); ?>\">\n \u003Clabel>\n \u003Cinput type=\"checkbox\" name=\"llms_generator_settings[post_types][]\" value=\"\u003C?php echo esc_attr($post_type->name); ?>\" checked>\n- \u003Cinput type=\"text\" name=\"llms_generator_settings[post_name][\u003C?php echo esc_html($post_type->labels->name); ?>]\" value=\"\u003C?php echo $settings['post_name'][esc_html($post_type->labels->name)] ?? '' ?>\"\u002F>\n+ \u003Cinput type=\"text\" name=\"llms_generator_settings[post_name][\u003C?php echo esc_attr($post_type->labels->name); ?>]\" value=\"\u003C?php echo esc_attr($settings['post_name'][$post_type->labels->name] ?? '') ?>\"\u002F>\n \u003Cspan class=\"dashicons dashicons-menu\">\u003C\u002Fspan>\n \u003C?php echo esc_html($post_type->labels->name); ?>\n \u003Csmall style=\"opacity: 0.7;\">(\u003C?php echo intval($indexed_count) . ' indexed of ' . intval($all_count); ?>)\u003C\u002Fsmall>\n@@ -117,7 +117,7 @@\n \u003Cdiv class=\"sortable-item\" data-post-type=\"\u003C?php echo esc_attr($post_type->name); ?>\">\n \u003Clabel>\n \u003Cinput type=\"checkbox\" name=\"llms_generator_settings[post_types][]\" value=\"\u003C?php echo esc_attr($post_type->name); ?>\"\u002F>\n- \u003Cinput type=\"text\" name=\"llms_generator_settings[post_name][\u003C?php echo esc_html($post_type->labels->name); ?>]\" value=\"\u003C?php echo $settings['post_name'][esc_html($post_type->labels->name)] ?? '' ?>\"\u002F>\n+ \u003Cinput type=\"text\" name=\"llms_generator_settings[post_name][\u003C?php echo esc_attr($post_type->labels->name); ?>]\" value=\"\u003C?php echo esc_attr($settings['post_name'][$post_type->labels->name] ?? '') ?>\"\u002F>\n \u003Cspan class=\"dashicons dashicons-menu\">\u003C\u002Fspan>\n \u003C?php echo esc_html($post_type->labels->name); ?>\n \u003Csmall style=\"opacity: 0.7;\">(\u003C?php echo intval($indexed_count) . ' indexed of ' . intval($all_count); ?>)\u003C\u002Fsmall>\n@@ -197,10 +197,10 @@\n \u003C?php if(in_array($key, ['post_types', 'max_posts', 'max_words', 'include_meta', 'include_excerpts', 'detailed_content', 'include_taxonomies', 'gform_include'])) continue ?>\n \u003C?php if(is_array($value)):\n foreach($value as $second_key => $second_value):\n- \u003Cinput type=\"hidden\" name=\"llms_generator_settings[\u003C?= $key ?>][]\" value=\"\u003C?= $second_value ?>\"\u002F>\n+ \u003Cinput type=\"hidden\" name=\"llms_generator_settings[\u003C?= esc_attr($key) ?>][]\" value=\"\u003C?= esc_attr($second_value) ?>\"\u002F>\n \u003C?php endforeach\n else:\n- \u003Cinput type=\"hidden\" name=\"llms_generator_settings[\u003C?= $key ?>]\" value=\"\u003C?= $value ?>\"\u002F>\n+ \u003Cinput type=\"hidden\" name=\"llms_generator_settings[\u003C?= esc_attr($key) ?>]\" value=\"\u003C?= esc_attr($value) ?>\"\u002F>\n \u003C?php endif ?>\n \u003C?php endforeach ?>\n \u003C?php endif ?>\n@@ -256,10 +256,10 @@\n \u003C?php if(in_array($key, ['include_md_file', 'noindex_header', 'llms_allow_indexing', 'update_frequency'])) continue ?>\n \u003C?php if(is_array($value)):\n foreach($value as $second_key => $second_value):\n- \u003Cinput type=\"hidden\" name=\"llms_generator_settings[\u003C?= $key ?>][]\" value=\"\u003C?= $second_value ?>\"\u002F>\n+ \u003Cinput type=\"hidden\" name=\"llms_generator_settings[\u003C?= esc_attr($key) ?>][]\" value=\"\u003C?= esc_attr($second_value) ?>\"\u002F>\n \u003C?php endforeach\n else:\n- \u003Cinput type=\"hidden\" name=\"llms_generator_settings[\u003C?= $key ?>]\" value=\"\u003C?= $value ?>\"\u002F>\n+ \u003Cinput type=\"hidden\" name=\"llms_generator_settings[\u003C?= esc_attr($key) ?>]\" value=\"\u003C?= esc_attr($value) ?>\"\u002F>\n \u003C?php endif ?>\n \u003C?php endforeach ?>\n \u003C?php endif ?>\n@@ -314,28 +314,28 @@\n \u003Clabel>\n \u003Cb>\u003C?php esc_html_e('LLMS.txt Title', 'website-llms-txt'); ?>\u003C\u002Fb>\n \u003C\u002Flabel>\u003Cbr\u002F>\n- \u003Ctextarea name=\"llms_generator_settings[llms_txt_title]\" style=\"width: 100%;height: 40px;\">\u003C?php echo (isset($settings['llms_txt_title']) ? $settings['llms_txt_title'] : '') ?>\u003C\u002Ftextarea>\n+ \u003Ctextarea name=\"llms_generator_settings[llms_txt_title]\" style=\"width: 100%;height: 40px;\">\u003C?php echo esc_textarea($settings['llms_txt_title'] ?? '') ?>\u003C\u002Ftextarea>\n \u003Ci>\u003C?php esc_html_e('Set a custom title for your LLMs.txt file. This will appear at the top of the generated file before any listed URLs.', 'website-llms-txt'); ?>\u003C\u002Fi>\n \u003C\u002Fp>\n \u003Cp>\n \u003Clabel>\n \u003Cb>\u003C?php esc_html_e('LLMS.txt Description', 'website-llms-txt'); ?>\u003C\u002Fb>\n \u003C\u002Flabel>\u003Cbr\u002F>\n- \u003Ctextarea name=\"llms_generator_settings[llms_txt_description]\" style=\"width: 100%;height: 80px;\">\u003C?php echo (isset($settings['llms_txt_description']) ? $settings['llms_txt_description'] : '') ?>\u003C\u002Ftextarea>\n+ \u003Ctextarea name=\"llms_generator_settings[llms_txt_description]\" style=\"width: 100%;height: 80px;\">\u003C?php echo esc_textarea($settings['llms_txt_description'] ?? '') ?>\u003C\u002Ftextarea>\n \u003Ci>\u003C?php esc_html_e('Optional introduction text added before the list of URLs. Use this to explain the purpose or structure of your LLMs.txt file.', 'website-llms-txt'); ?>\u003C\u002Fi>\n \u003C\u002Fp>\n \u003Cp>\n \u003Clabel>\n \u003Cb>\u003C?php esc_html_e('LLMS.txt After Description', 'website-llms-txt'); ?>\u003C\u002Fb>\n \u003C\u002Flabel>\u003Cbr\u002F>\n- \u003Ctextarea name=\"llms_generator_settings[llms_after_txt_description]\" style=\"width: 100%;height: 80px;\">\u003C?php echo (isset($settings['llms_after_txt_description']) ? $settings['llms_after_txt_description'] : '') ?>\u003C\u002Ftextarea>\n+ \u003Ctextarea name=\"llms_generator_settings[llms_after_txt_description]\" style=\"width: 100%;height: 80px;\">\u003C?php echo esc_textarea($settings['llms_after_txt_description'] ?? '') ?>\u003C\u002Ftextarea>\n \u003Ci>\u003C?php esc_html_e('Optional text inserted right before the list of links or content entries. You can use it to add additional notes, context, or data usage information before the URLs begin.', 'website-llms-txt'); ?>\u003C\u002Fi>\n \u003C\u002Fp>\n \u003Cp>\n \u003Clabel>\n \u003Cb>\u003C?php esc_html_e('LLMS.txt End File Description', 'website-llms-txt'); ?>\u003C\u002Fb>\n \u003C\u002Flabel>\u003Cbr\u002F>\n- \u003Ctextarea name=\"llms_generator_settings[llms_end_file_description]\" style=\"width: 100%;height: 80px;\">\u003C?php echo (isset($settings['llms_end_file_description']) ? $settings['llms_end_file_description'] : '') ?>\u003C\u002Ftextarea>\n+ \u003Ctextarea name=\"llms_generator_settings[llms_end_file_description]\" style=\"width: 100%;height: 80px;\">\u003C?php echo esc_textarea($settings['llms_end_file_description'] ?? '') ?>\u003C\u002Ftextarea>\n \u003Ci>\u003C?php esc_html_e('Final text appended at the bottom of the LLMs.txt file (e.g. footer, contact, or disclaimer information).', 'website-llms-txt'); ?>\u003C\u002Fi>\n \u003C\u002Fp>\n \u003C?php if(!empty($settings)):\n@@ -343,10 +343,10 @@\n \u003C?php if(in_array($key, ['llms_txt_title', 'llms_txt_description', 'llms_after_txt_description', 'llms_end_file_description'])) continue ?>\n \u003C?php if(is_array($value)):\n foreach($value as $second_key => $second_value):\n- \u003Cinput type=\"hidden\" name=\"llms_generator_settings[\u003C?= $key ?>][]\" value=\"\u003C?= $second_value ?>\"\u002F>\n+ \u003Cinput type=\"hidden\" name=\"llms_generator_settings[\u003C?= esc_attr($key) ?>][]\" value=\"\u003C?= esc_attr($second_value) ?>\"\u002F>\n \u003C?php endforeach\n else:\n- \u003Cinput type=\"hidden\" name=\"llms_generator_settings[\u003C?= $key ?>]\" value=\"\u003C?= $value ?>\"\u002F>\n+ \u003Cinput type=\"hidden\" name=\"llms_generator_settings[\u003C?= esc_attr($key) ?>]\" value=\"\u003C?= esc_attr($value) ?>\"\u002F>\n \u003C?php endif ?>\n \u003C?php endforeach ?>\n \u003C?php endif ?>\n@@ -354,11 +354,9 @@\n \u003C\u002Fform>\n \u003C\u002Fdiv>\n \u003C\u002Fdiv>\n- \u003C?php\n- $tab = filter_input(INPUT_GET,'tab');\n- ?>\n+ \u003C?php $tab = sanitize_key(filter_input(INPUT_GET, 'tab')); ?>\n \u003Cdiv class=\"card-column\">\n- \u003Cdiv class=\"card \u003C?php echo $tab; ?>\">\n+ \u003Cdiv class=\"card \u003C?php echo esc_attr(sanitize_key($tab)); ?>\">\n \u003Cform method=\"post\" action=\"options.php\" id=\"llms-settings-crawler-form\">\n \u003C?php settings_fields('llms_generator_settings'); ?>\n \u003Ch2>\u003C?php esc_html_e('AI Crawler Detection','website-llms-txt') ?>\u003C\u002Fh2>\n@@ -383,10 +381,10 @@\n \u003C?php if(in_array($key, ['llms_local_log_enabled'])) continue ?>\n \u003C?php if(is_array($value)):\n foreach($value as $second_key => $second_value):\n- \u003Cinput type=\"hidden\" name=\"llms_generator_settings[\u003C?= $key ?>][]\" value=\"\u003C?= $second_value ?>\"\u002F>\n+ \u003Cinput type=\"hidden\" name=\"llms_generator_settings[\u003C?= esc_attr($key) ?>][]\" value=\"\u003C?= esc_attr($second_value) ?>\"\u002F>\n \u003C?php endforeach\n else:\n- \u003Cinput type=\"hidden\" name=\"llms_generator_settings[\u003C?= $key ?>]\" value=\"\u003C?= $value ?>\"\u002F>\n+ \u003Cinput type=\"hidden\" name=\"llms_generator_settings[\u003C?= esc_attr($key) ?>]\" value=\"\u003C?= esc_attr($value) ?>\"\u002F>\n \u003C?php endif ?>\n \u003C?php endforeach ?>\n \u003C?php endif ?>","1. An attacker identifies the plugin's settings page URL, typically `wp-admin\u002Foptions-general.php?page=website-llms-txt` (though sometimes registered under Tools).\n2. The attacker constructs a malicious URL including the `tab` GET parameter containing a script payload, for example: `?page=website-llms-txt&tab=\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n3. The attacker crafts a delivery mechanism (e.g., a phishing email or a malicious site) to trick an authenticated WordPress Administrator into clicking this link.\n4. When the Administrator visits the link, the plugin retrieves the `tab` value via `filter_input(INPUT_GET, 'tab')` and reflects it into the HTML class attribute of a `div` element without escaping.\n5. The payload executes in the context of the Administrator's session, potentially allowing for session hijacking, unauthorized configuration changes, or the creation of new administrative accounts.","gemini-3-flash-preview","2026-04-27 14:17:09","2026-04-27 14:17:32",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","8.2.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwebsite-llms-txt\u002Ftags\u002F8.2.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwebsite-llms-txt.8.2.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwebsite-llms-txt\u002Ftags\u002F8.2.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwebsite-llms-txt.8.2.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwebsite-llms-txt\u002Ftags"]