CVE-2026-4091
Received Received - Intake
CSRF Vulnerability in OPEN-BRAIN WordPress Plugin Allows Admin Actions

Publication date: 2026-04-15

Last updated on: 2026-04-15

Assigner: Wordfence

Description
The OPEN-BRAIN plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5.0. This is due to missing nonce verification on the settings form in the func_page_main() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4091
EUVD
EUVD-2026-22870
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-brain plugin to 0.5.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability exists in all versions of the OPEN-BRAIN WordPress plugin up to and including 0.5.0 due to missing nonce verification on the settings form.

To mitigate this vulnerability, you should update the OPEN-BRAIN plugin to a version later than 0.5.0 where the nonce verification issue is fixed.

Additionally, as a precaution, avoid clicking on suspicious links and ensure that only trusted administrators have access to the WordPress admin interface.

Executive Summary

The OPEN-BRAIN plugin for WordPress has a vulnerability known as Cross-Site Request Forgery (CSRF) in all versions up to and including 0.5.0. This occurs because the plugin's settings form in the func_page_main() function lacks nonce verification, which is a security measure to confirm that requests are legitimate.

As a result, an attacker who is not authenticated can trick a site administrator into performing unintended actions by making them click on a malicious link, allowing the attacker to inject harmful web scripts.

Impact Analysis

This vulnerability can allow an attacker to execute unauthorized actions on your WordPress site by exploiting the trust of an authenticated administrator. Specifically, it can lead to the injection of malicious scripts, which may compromise the integrity and security of your website.

  • Potential unauthorized changes to site settings.
  • Injection of malicious web scripts that could affect site visitors or administrators.
  • Compromise of site confidentiality and integrity due to the attacker's ability to perform actions with administrator privileges.
Compliance Impact

The vulnerability allows unauthenticated attackers to perform Cross-Site Request Forgery (CSRF) attacks by tricking site administrators into executing malicious actions. This can lead to unauthorized changes in the system, potentially compromising data integrity and security.

Such unauthorized actions and potential data manipulation could negatively impact compliance with standards like GDPR and HIPAA, which require strict controls over data security and integrity to protect personal and sensitive information.

However, the provided information does not explicitly detail the direct impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4091. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart