Stored Cross-Site Scripting in Website LLMs.txt Plugin for WordPress
CVE-2026-6712

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Website Llms.txt
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-6712?

The Website LLMs.txt plugin for WordPress contains a vulnerability that allows authenticated attackers with administrator-level permissions to execute arbitrary web scripts. This is due to insufficient input sanitization and output escaping in the plugin's admin settings. The issue primarily affects multi-site installations and those configurations where unfiltered HTML is disabled. Attackers can inject malicious scripts that will run whenever users access the compromised pages, potentially leading to unauthorized actions and data exposure.

Affected Version(s)

Website LLMs.txt 0 <= 8.2.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

Kazuma Matsumoto

CVE-2026-6712 Data

JSON