CVE-2026-3995
Stored XSS in OPEN-BRAIN WordPress Plugin Allows Admin Script Injection
Publication date: 2026-04-16
Last updated on: 2026-04-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-brain | plugin | to 0.5.0 (inc) |
| wordfence | open-brain | to 0.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The OPEN-BRAIN plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in its 'API Key' settings field in all versions up to and including 0.5.0.
This vulnerability arises because the plugin uses sanitize_text_field() which removes HTML tags but does not encode double quotes or other special HTML characters necessary for safe output in HTML attribute contexts.
As a result, the API key value is saved and later output into an HTML input element's value attribute without proper escaping (esc_attr()), allowing authenticated administrators to inject malicious scripts via specially crafted input.
These injected scripts execute whenever a user accesses the plugin settings page, potentially compromising the site.
How can this vulnerability impact me? :
This vulnerability allows authenticated users with Administrator-level access to inject arbitrary web scripts into the plugin settings page.
When other users visit the plugin settings page, these malicious scripts execute in their browsers, which can lead to theft of sensitive information, session hijacking, or other malicious actions.
Although the attacker must have high privileges to exploit this, the impact includes potential compromise of user accounts and site integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting in the OPEN-BRAIN WordPress plugin's 'API Key' settings field, exploitable by authenticated administrators. Detection would involve checking the plugin's version and inspecting the 'API Key' field for suspicious input that includes attribute breakout payloads such as double quotes followed by event handlers.
Since the vulnerability requires Administrator-level access and affects the plugin settings page, detection commands could include:
- Checking the installed version of the OPEN-BRAIN plugin to see if it is version 0.5.0 or earlier.
- Using WP-CLI to retrieve the 'API Key' option value to look for suspicious characters or scripts, e.g.: wp option get open_brain_api_key
- Reviewing the plugin settings page in the WordPress admin dashboard for any unexpected script execution or malformed input fields.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Restrict Administrator-level access to trusted users only, as exploitation requires authenticated admin privileges.
- Avoid entering or saving any untrusted or suspicious input in the 'API Key' settings field.
- Update the OPEN-BRAIN plugin to a version later than 0.5.0 once a patched release is available.
- As a temporary workaround, consider disabling the plugin if it is not essential.