Security Alert Summary
The Website LLMs.txt plugin for WordPress contains a reflected Cross-Site Scripting (XSS) vulnerability via the tab parameter in all versions up to and including 8.2.6. The issue is caused by the use of filter_input() without a sanitization filter and insufficient output escaping, which can allow an unauthenticated attacker to inject scripts that execute if an administrator is tricked into performing an action such as clicking a link.
CVE Details
- CVE ID:
CVE-2026-6711 - Affected component: Website LLMs.txt plugin for WordPress
- Affected versions: All versions up to, and including, 8.2.6
- Published: April 21, 2026 at 7:16:09 AM
- Last modified: April 21, 2026 at 7:16:09 AM
- CVSS v3.1: Base Score 6.1, Severity MEDIUM, Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - Authentication / privileges / user interaction: No privileges required (PR:N); user interaction required (UI:R)
- Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
- Weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation – Cross-site Scripting)
Technical Details
This vulnerability is a reflected Cross-Site Scripting (XSS) issue that occurs when the plugin reads the tab parameter via filter_input() without applying a sanitization filter and then outputs that value without sufficient escaping. Because the value can be reflected into an administrative page, an attacker can craft a URL containing a malicious script in the tab parameter. If an administrator or another user with sufficient privileges follows that link and triggers the reflected content, the injected script can execute in the context of the victim’s browser.
The underlying cause is a lack of input sanitization combined with inadequate output escaping for data originating from user-controlled parameters. The description does not name additional functions, REST endpoints, or specific files beyond the use of filter_input() and the tab parameter.
How This Could Impact Your Website
In a typical WordPress site, administrators and editors access plugin settings and administrative pages frequently. An attacker could send a crafted link to a site administrator (for example, via email or a messaging channel used by internal staff or contractors). If the administrator clicks the link while logged into the site, the injected script could execute in their browser and perform actions that the administrator is permitted to do in the interface.
Practical consequences include exposure of session-based information in the administrator’s browser, risks of session hijacking or unauthorized actions performed from the administrator’s account context, and increased risk of targeted phishing if internal email addresses or other user-facing details are exposed through subsequent malicious actions. The CVSS impacts indicate limited confidentiality and integrity effects rather than full site takeover.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributors and other non-admin accounts with write access.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your installation.
- Monitor site activity and admin logins for unusual behavior, such as unexpected changes or unfamiliar IP addresses.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
