CVE-2026-4091
CSRF Vulnerability in OPEN-BRAIN WordPress Plugin Allows Admin Actions
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-brain | plugin | to 0.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The vulnerability exists in all versions of the OPEN-BRAIN WordPress plugin up to and including 0.5.0 due to missing nonce verification on the settings form.
To mitigate this vulnerability, you should update the OPEN-BRAIN plugin to a version later than 0.5.0 where the nonce verification issue is fixed.
Additionally, as a precaution, avoid clicking on suspicious links and ensure that only trusted administrators have access to the WordPress admin interface.
Can you explain this vulnerability to me?
The OPEN-BRAIN plugin for WordPress has a vulnerability known as Cross-Site Request Forgery (CSRF) in all versions up to and including 0.5.0. This occurs because the plugin's settings form in the func_page_main() function lacks nonce verification, which is a security measure to confirm that requests are legitimate.
As a result, an attacker who is not authenticated can trick a site administrator into performing unintended actions by making them click on a malicious link, allowing the attacker to inject harmful web scripts.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute unauthorized actions on your WordPress site by exploiting the trust of an authenticated administrator. Specifically, it can lead to the injection of malicious scripts, which may compromise the integrity and security of your website.
- Potential unauthorized changes to site settings.
- Injection of malicious web scripts that could affect site visitors or administrators.
- Compromise of site confidentiality and integrity due to the attacker's ability to perform actions with administrator privileges.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to perform Cross-Site Request Forgery (CSRF) attacks by tricking site administrators into executing malicious actions. This can lead to unauthorized changes in the system, potentially compromising data integrity and security.
Such unauthorized actions and potential data manipulation could negatively impact compliance with standards like GDPR and HIPAA, which require strict controls over data security and integrity to protect personal and sensitive information.
However, the provided information does not explicitly detail the direct impact on compliance with these regulations.