{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27068", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:42.768Z", "datePublished": "2026-03-19T08:42:37.658Z", "dateUpdated": "2026-03-19T13:50:41.247Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T08:42:37.658Z"}, "title": "WordPress Website LLMs.txt plugin <= 8.2.6 - Reflected Cross Site Scripting (XSS) vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "affected": [{"vendor": "Ryan Howard", "product": "Website LLMs.txt", "collectionURL": "https://wordpress.org/plugins", "packageName": "website-llms-txt", "versions": [{"status": "affected", "version": "n/a", "lessThanOrEqual": "8.2.6", "changes": [{"at": "8.2.7", "status": "unaffected"}], "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Howard Website LLMs.Txt allows Reflected XSS.This issue affects Website LLMs.Txt: from n/a through 8.2.6.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Howard Website LLMs.Txt allows Reflected XSS.<p>This issue affects Website LLMs.Txt: from n/a through 8.2.6.</p>"}]}], "tags": ["x_open-source"], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/website-llms-txt/vulnerability/wordpress-website-llms-txt-plugin-8-2-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"}}], "solutions": [{"lang": "en", "value": "Update the WordPress Website LLMs.txt plugin to the latest available version (at least 8.2.7).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Update the WordPress Website LLMs.txt plugin to the latest available version (at least 8.2.7)."}]}], "credits": [{"lang": "en", "value": "benzdeus | Patchstack Bug Bounty Program", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T13:49:36.391557Z", "id": "CVE-2026-27068", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:50:41.247Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27068", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T13:49:36.391557Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:50:02.766Z"}}], "cna": {"tags": ["x_open-source"], "title": "WordPress Website LLMs.txt plugin <= 8.2.6 - Reflected Cross Site Scripting (XSS) vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "benzdeus | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Ryan Howard", "product": "Website LLMs.txt", "versions": [{"status": "affected", "changes": [{"at": "8.2.7", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "8.2.6"}], "packageName": "website-llms-txt", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress Website LLMs.txt plugin to the latest available version (at least 8.2.7).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress Website LLMs.txt plugin to the latest available version (at least 8.2.7).", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/website-llms-txt/vulnerability/wordpress-website-llms-txt-plugin-8-2-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Howard Website LLMs.Txt allows Reflected XSS.This issue affects Website LLMs.Txt: from n/a through 8.2.6.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Howard Website LLMs.Txt allows Reflected XSS.<p>This issue affects Website LLMs.Txt: from n/a through 8.2.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T08:42:37.658Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27068", "state": "PUBLISHED", "dateUpdated": "2026-03-19T13:50:41.247Z", "dateReserved": "2026-02-17T13:23:42.768Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-19T08:42:37.658Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Howard Website LLMs.Txt allows Reflected XSS.This issue affects Website LLMs.Txt: from n/a through 8.2.6."}], "id": "CVE-2026-27068", "lastModified": "2026-03-19T13:25:00.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-19T09:16:18.157", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/plugin/website-llms-txt/vulnerability/wordpress-website-llms-txt-plugin-8-2-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.2.6]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[8.2.7,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Website LLMs.txt", "source": "cna", "vendor": "Ryan Howard"}, "product": "website_llms.txt", "vendor": "ryan_howard"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T10:20:32.903022+00:00", "value": {"mitigation_remediation": ["Apply the latest plugin version (8.2.7 or newer) to eliminate the reflected XSS issue.", "Verify that the plugin version has been updated and that the website displays the new version number."], "summary": {"action": "Patch Now", "impact": "Cross\u2011Site Scripting (Reflected)"}, "threat_synthesis": {"affected_systems": "The affected product is the Website LLMs.Txt plugin developed by Ryan Howard. All plugin versions from the initial release through version\u202f8.2.6 are impacted. Versions 8.2.7 and newer are not affected.", "description_and_impact": "The vulnerability is an improper neutralization of input during web page generation in the Website LLMs.Txt plugin. An attacker can inject malicious script content that is reflected back in the page response. This allows the execution of arbitrary client\u2011side code in the victim\u2019s browser, potentially facilitating session hijacking, defacement, or theft of sensitive data. The weakness is identified as CWE\u201179.", "risk_and_exploitability": "The CVSS base score is 7.1, indicating a high severity. No EPSS score is provided and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no documented public exploitation yet. The vulnerability is exploitable via a web browser: an attacker can embed a malicious script in a crafted URL or form submission that is reflected in the response sent to a target user. Successful exploitation requires that a user visits the manipulated page, which is a typical cross\u2011site scripting attack scenario."}}}}, "created": "2026-03-20T08:57:00.259469+00:00", "updated": "2026-03-20T14:15:13.238910+00:00", "vendors": ["ryan_howard", "ryan_howard$PRODUCT$website_llms.txt", "wordpress", "wordpress$PRODUCT$wordpress"]}