Description
The OPEN-BRAIN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' settings field in all versions up to, and including, 0.5.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() which strips HTML tags but does not encode double quotes or other HTML-special characters needed for safe attribute context output. The API key value is saved via update_option() and later output into an HTML input element's value attribute without esc_attr() escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts via attribute breakout payloads (e.g., double quotes followed by event handlers) that execute whenever a user accesses the plugin settings page.
Published: 2026-04-16
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

The OPEN‑BRAIN WordPress plugin contains a stored cross‑site scripting flaw that arises from an insufficient sanitization routine for the 'API Key' setting field. The plugin calls sanitize_text_field() which removes HTML tags but leaves double quotes and other special characters intact, and later outputs the value into an input element’s value attribute without esc_attr() escaping. An administrator‑level user can therefore inject an attribute‑breakout payload such as a double quote followed by an event handler, which will be executed whenever any user opens the plugin settings page, potentially allowing the execution of arbitrary scripts in the victim’s browser context.

Affected Systems

All instances of the OPEN‑BRAIN plugin for WordPress with versions up to and including 0.5.0, delivered by the vendor faridsaniee:OPEN‑BRAIN. No published fix version is indicated, so any deployment of these versions is potentially vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 4.4, reflecting a moderate severity. EPSS Score is <1% and it is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack can be carried out only by authenticated users with Administrator privileges, who can access the settings page, inject the payload, and trigger its execution on subsequent visits by other users. Because unauthenticated users cannot inject the payload, the risk is confined to environments where the attacker can obtain admin credentials or social‑engineer an admin user.

Generated by OpenCVE AI on April 17, 2026 at 05:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the OPEN‑BRAIN plugin to the latest available vendor‑released version.
  • If an upgrade cannot be performed immediately, disable editing of the API key field for all roles or remove the field entirely to eliminate the injection vector.
  • Monitor site logs for unusual script injection attempts and restrict or block administrative access as a temporary measure.

Generated by OpenCVE AI on April 17, 2026 at 05:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Faridsaniee
Faridsaniee open-brain
Wordpress
Wordpress wordpress
Vendors & Products Faridsaniee
Faridsaniee open-brain
Wordpress
Wordpress wordpress

Thu, 16 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description The OPEN-BRAIN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' settings field in all versions up to, and including, 0.5.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() which strips HTML tags but does not encode double quotes or other HTML-special characters needed for safe attribute context output. The API key value is saved via update_option() and later output into an HTML input element's value attribute without esc_attr() escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts via attribute breakout payloads (e.g., double quotes followed by event handlers) that execute whenever a user accesses the plugin settings page.
Title OPEN-BRAIN <= 0.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'API Key' Setting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Faridsaniee Open-brain
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-16T12:04:24.073Z

Reserved: 2026-03-11T17:04:22.771Z

Link: CVE-2026-3995

cve-icon Vulnrichment

Updated: 2026-04-16T11:12:03.420Z

cve-icon NVD

Status : Received

Published: 2026-04-16T07:16:30.503

Modified: 2026-04-16T07:16:30.503

Link: CVE-2026-3995

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T06:00:09Z

Weaknesses