CVE-2026-3995
Received Received - Intake
Stored XSS in OPEN-BRAIN WordPress Plugin Allows Admin Script Injection

Publication date: 2026-04-16

Last updated on: 2026-04-16

Assigner: Wordfence

Description
The OPEN-BRAIN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' settings field in all versions up to, and including, 0.5.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() which strips HTML tags but does not encode double quotes or other HTML-special characters needed for safe attribute context output. The API key value is saved via update_option() and later output into an HTML input element's value attribute without esc_attr() escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts via attribute breakout payloads (e.g., double quotes followed by event handlers) that execute whenever a user accesses the plugin settings page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3995
EUVD
EUVD-2026-23213
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
open-brain plugin to 0.5.0 (inc)
wordfence open-brain to 0.5.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The OPEN-BRAIN plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in its 'API Key' settings field in all versions up to and including 0.5.0.

This vulnerability arises because the plugin uses sanitize_text_field() which removes HTML tags but does not encode double quotes or other special HTML characters necessary for safe output in HTML attribute contexts.

As a result, the API key value is saved and later output into an HTML input element's value attribute without proper escaping (esc_attr()), allowing authenticated administrators to inject malicious scripts via specially crafted input.

These injected scripts execute whenever a user accesses the plugin settings page, potentially compromising the site.

Impact Analysis

This vulnerability allows authenticated users with Administrator-level access to inject arbitrary web scripts into the plugin settings page.

When other users visit the plugin settings page, these malicious scripts execute in their browsers, which can lead to theft of sensitive information, session hijacking, or other malicious actions.

Although the attacker must have high privileges to exploit this, the impact includes potential compromise of user accounts and site integrity.

Detection Guidance

This vulnerability involves Stored Cross-Site Scripting in the OPEN-BRAIN WordPress plugin's 'API Key' settings field, exploitable by authenticated administrators. Detection would involve checking the plugin's version and inspecting the 'API Key' field for suspicious input that includes attribute breakout payloads such as double quotes followed by event handlers.

Since the vulnerability requires Administrator-level access and affects the plugin settings page, detection commands could include:

  • Checking the installed version of the OPEN-BRAIN plugin to see if it is version 0.5.0 or earlier.
  • Using WP-CLI to retrieve the 'API Key' option value to look for suspicious characters or scripts, e.g.: wp option get open_brain_api_key
  • Reviewing the plugin settings page in the WordPress admin dashboard for any unexpected script execution or malformed input fields.
Mitigation Strategies

Immediate mitigation steps include:

  • Restrict Administrator-level access to trusted users only, as exploitation requires authenticated admin privileges.
  • Avoid entering or saving any untrusted or suspicious input in the 'API Key' settings field.
  • Update the OPEN-BRAIN plugin to a version later than 0.5.0 once a patched release is available.
  • As a temporary workaround, consider disabling the plugin if it is not essential.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3995. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart