[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fcuVQeStp-2ZrVkRG8__ulAnnmjlmicj_Hlpj_hQnFPs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-27068","website-llmstxt-reflected-cross-site-scripting","Website LLMs.txt \u003C= 8.2.6 - Reflected Cross-Site Scripting","The Website LLMs.txt plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 8.2.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","website-llms-txt",null,"\u003C=8.2.6","8.2.7","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-12 00:00:00","2026-03-19 14:57:23",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F618e92af-a669-42d6-9d95-78c3e8e18f11?source=api-prod",8,[22,23,24,25],"README.txt","admin\u002Fadmin-page.php","includes\u002Fclass-llms-generator.php","website-llms-txt.php","researched",false,3,"\n $wpdb->prepare(\"SELECT COUNT(*) FROM {$table} WHERE type = %s\", $post_type->name)\n );\n ```\n No, that's a DB query.\n\n Wait, I've got it. Look at the `README.txt`:\n \"The plugin includes fallback logic... it serves llms.txt virtually through WordPress rewrite rules\".\n If the rewrite rules use a parameter that is then reflected.\n Like `index.php?llms_txt=1&preview=\u003Cscript>`.\n\n Actually, let's look at `admin\u002Fadmin-page.php` one more time.\n What if it's the `settings-updated` or `cache_cleared` logic?\n Wait, I missed something extremely simple.\n The nonces are checked:\n ```php\n if (wp_verify_nonce($nonce, 'llms_cache_cleared')) {\n echo ...;\n }\n ```\n But what if the `_wpnonce` is reflected *without* validation in an error message?\n No.\n\n Let's look at the `admin-page.php` truncated section again.\n Often, these plugins have a \"Regenerating...\" message that reflects the progress or the current item being processed.\n `ajax_gen_step` handles the batches.\n\n Wait! I found a `$_GET` that I missed.\n Look at `admin\u002Fadmin-page.php","The Website LLMs.txt plugin is vulnerable to Reflected Cross-Site Scripting via the 'tab' query parameter and several settings fields in the admin dashboard. This allows unauthenticated attackers to execute arbitrary JavaScript in the context of a logged-in administrator's browser by tricking them into clicking a specially crafted link.","\u002F\u002F admin\u002Fadmin-page.php:358\n$tab = filter_input(INPUT_GET,'tab');\n?>\n\u003Cdiv class=\"card-column\">\n \u003Cdiv class=\"card \u003C?php echo $tab; ?>\">\n\n---\n\n\u002F\u002F admin\u002Fadmin-page.php:317\n\u003Cp>\n \u003Clabel>\n \u003Cb>\u003C?php esc_html_e('LLMS.txt Title', 'website-llms-txt'); ?>\u003C\u002Fb>\n \u003C\u002Flabel>\u003Cbr\u002F>\n \u003Ctextarea name=\"llms_generator_settings[llms_txt_title]\" style=\"width: 100%;height: 40px;\">\u003C?php echo (isset($settings['llms_txt_title']) ? $settings['llms_txt_title'] : '') ?>\u003C\u002Ftextarea>\n \u003Ci>\u003C?php esc_html_e('Set a custom title for your LLMs.txt file. This will appear at the top of the generated file before any listed URLs.', 'website-llms-txt'); ?>\u003C\u002Fi>\n\u003C\u002Fp>\n\n---\n\n\u002F\u002F admin\u002Fadmin-page.php:200\n\u003C?php if(is_array($value)): ?>\n \u003C?php foreach($value as $second_key => $second_value): ?>\n \u003Cinput type=\"hidden\" name=\"llms_generator_settings[\u003C?= $key ?>][]\" value=\"\u003C?= $second_value ?>\"\u002F>\n \u003C?php endforeach ?>\n\u003C?php else: ?>\n \u003Cinput type=\"hidden\" name=\"llms_generator_settings[\u003C?= $key ?>]\" value=\"\u003C?= $value ?>\"\u002F>\n\u003C?php endif ?>","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebsite-llms-txt\u002F8.2.6\u002Fadmin\u002Fadmin-page.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebsite-llms-txt\u002F8.2.7\u002Fadmin\u002Fadmin-page.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebsite-llms-txt\u002F8.2.6\u002Fadmin\u002Fadmin-page.php\t2026-02-11 11:25:06.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebsite-llms-txt\u002F8.2.7\u002Fadmin\u002Fadmin-page.php\t2026-03-13 18:44:40.000000000 +0000\n@@ -314,28 +314,28 @@\n \u003Clabel>\n \u003Cb>\u003C?php esc_html_e('LLMS.txt Title', 'website-llms-txt'); ?>\u003C\u002Fb>\n \u003C\u002Flabel>\u003Cbr\u002F>\n- \u003Ctextarea name=\"llms_generator_settings[llms_txt_title]\" style=\"width: 100%;height: 40px;\">\u003C?php echo (isset($settings['llms_txt_title']) ? $settings['llms_txt_title'] : '') ?>\u003C\u002Ftextarea>\n+ \u003Ctextarea name=\"llms_generator_settings[llms_txt_title]\" style=\"width: 100%;height: 40px;\">\u003C?php echo esc_textarea($settings['llms_txt_title'] ?? '') ?>\u003C\u002Ftextarea>\n \u003Ci>\u003C?php esc_html_e('Set a custom title for your LLMs.txt file. This will appear at the top of the generated file before any listed URLs.', 'website-llms-txt'); ?>\u003C\u002Fi>\n \u003C\u002Fp>\n \u003Cp>\n \u003Clabel>\n \u003Cb>\u003C?php esc_html_e('LLMS.txt Description', 'website-llms-txt'); ?>\u003C\u002Fb>\n \u003C\u002Flabel>\u003Cbr\u002F>\n- \u003Ctextarea name=\"llms_generator_settings[llms_txt_description]\" style=\"width: 100%;height: 80px;\">\u003C?php echo (isset($settings['llms_txt_description']) ? $settings['llms_txt_description'] : '') ?>\u003C\u002Ftextarea>\n+ \u003Ctextarea name=\"llms_generator_settings[llms_txt_description]\" style=\"width: 100%;height: 80px;\">\u003C?php echo esc_textarea($settings['llms_txt_description'] ?? '') ?>\u003C\u002Ftextarea>\n \u003Ci>\u003C?php esc_html_e('Optional introduction text added before the list of URLs. Use this to explain the purpose or structure of your LLMs.txt file.', 'website-llms-txt'); ?>\u003C\u002Fi>\n \u003C\u002Fp>\n \u003Cp>\n \u003Clabel>\n \u003Cb>\u003C?php esc_html_e('LLMS.txt After Description', 'website-llms-txt'); ?>\u003C\u002Fb>\n \u003C\u002Flabel>\u003Cbr\u002F>\n- \u003Ctextarea name=\"llms_generator_settings[llms_after_txt_description]\" style=\"width: 100%;height: 80px;\">\u003C?php echo (isset($settings['llms_after_txt_description']) ? $settings['llms_after_txt_description'] : '') ?>\u003C\u002Ftextarea>\n+ \u003Ctextarea name=\"llms_generator_settings[llms_after_txt_description]\" style=\"width: 100%;height: 80px;\">\u003C?php echo esc_textarea($settings['llms_after_txt_description'] ?? '') ?>\u003C\u002Ftextarea>\n \u003Ci>\u003C?php esc_html_e('Optional text inserted right before the list of links or content entries. You can use it to add additional notes, context, or data usage information before the URLs begin.', 'website-llms-txt'); ?>\u003C\u002Fi>\n \u003C\u002Fp>\n \u003Cp>\n \u003Clabel>\n \u003Cb>\u003C?php esc_html_e('LLMS.txt End File Description', 'website-llms-txt'); ?>\u003C\u002Fb>\n \u003C\u002Flabel>\u003Cbr\u002F>\n- \u003Ctextarea name=\"llms_generator_settings[llms_end_file_description]\" style=\"width: 100%;height: 80px;\">\u003C?php echo (isset($settings['llms_end_file_description']) ? $settings['llms_end_file_description'] : '') ?>\u003C\u002Ftextarea>\n+ \u003Ctextarea name=\"llms_generator_settings[llms_end_file_description]\" style=\"width: 100%;height: 80px;\">\u003C?php echo esc_textarea($settings['llms_end_file_description'] ?? '') ?>\u003C\u002Ftextarea>\n \u003Ci>\u003C?php esc_html_e('Final text appended at the bottom of the LLMs.txt file (e.g. footer, contact, or disclaimer information).', 'website-llms-txt'); ?>\u003C\u002Fi>\n \u003C\u002Fp>\n \u003C?php if(!empty($settings)): ?>\n@@ -343,10 +343,10 @@\n \u003C?php if(in_array($key, ['llms_txt_title', 'llms_txt_description', 'llms_after_txt_description', 'llms_end_file_description'])) continue ?>\n \u003C?php if(is_array($value)): ?>\n \u003C?php foreach($value as $second_key => $second_value): ?>\n- \u003Cinput type=\"hidden\" name=\"llms_generator_settings[\u003C?= $key ?>][]\" value=\"\u003C?= $second_value ?>\"\u002F>\n+ \u003Cinput type=\"hidden\" name=\"llms_generator_settings[\u003C?= esc_attr($key) ?>][]\" value=\"\u003C?= esc_attr($second_value) ?>\"\u002F>\n \u003C?php endforeach ?>\n \u003C?php else: ?>\n- \u003Cinput type=\"hidden\" name=\"llms_generator_settings[\u003C?= $key ?>]\" value=\"\u003C?= $value ?>\"\u002F>\n+ \u003Cinput type=\"hidden\" name=\"llms_generator_settings[\u003C?= esc_attr($key) ?>]\" value=\"\u003C?= esc_attr($value) ?>\"\u002F>\n \u003C?php endif ?>\n \u003C?php endforeach ?>\n \u003C?php endif ?>\n@@ -354,11 +354,9 @@\n \u003C\u002Fform>\n \u003C\u002Fdiv>\n \u003C\u002Fdiv>\n- \u003C?php\n- $tab = filter_input(INPUT_GET,'tab');\n- ?>\n+ \u003C?php $tab = sanitize_key(filter_input(INPUT_GET, 'tab')); ?>\n \u003Cdiv class=\"card-column\">\n- \u003Cdiv class=\"card \u003C?php echo $tab; ?>\">\n+ \u003Cdiv class=\"card \u003C?php echo esc_attr(sanitize_key($tab)); ?>\">\n \u003Cform method=\"post\" action=\"options.php\" id=\"llms-settings-crawler-form\">\n \u003C?php settings_fields('llms_generator_settings'); ?>\n \u003Ch2>\u003C?php esc_html_e('AI Crawler Detection','website-llms-txt') ?>\u003C\u002Fh2>","The exploit targets the plugin's admin settings page, typically found at `\u002Fwp-admin\u002Foptions-general.php?page=llms-file-manager`. An attacker can append a malicious payload to the 'tab' query parameter (e.g., `&tab=\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`). When a logged-in administrator visits this URL, the payload breaks out of the HTML class attribute and executes in the victim's browser session. Additionally, the plugin reflected several saved settings and hidden input fields without escaping, which could facilitate Reflected XSS if combined with a form submission that mirrors input or if an attacker can manipulate the options array.","gemini-3-flash-preview","2026-04-18 04:04:43","2026-04-18 04:05:33",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","8.2.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwebsite-llms-txt\u002Ftags\u002F8.2.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwebsite-llms-txt.8.2.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwebsite-llms-txt\u002Ftags\u002F8.2.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwebsite-llms-txt.8.2.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwebsite-llms-txt\u002Ftags"]