WP-Safety
CVE-2026-4091

OPEN-BRAIN <= 0.5.0 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The OPEN-BRAIN plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5.0. This is due to missing nonce verification on the settings form in the func_page_main() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=0.5.0
PublishedApril 14, 2026
Last updatedApril 15, 2026
Affected pluginopen-brain
Research Plan
Unverified

This plan outlines the research and exploitation strategy for **CVE-2026-4091** (OPEN-BRAIN <= 0.5.0), a Cross-Site Request Forgery (CSRF) vulnerability that allows for the injection of malicious scripts (Stored XSS). --- ### 1. Vulnerability Summary The **OPEN-BRAIN** plugin (versions <= 0.5.0) f…

Show full research plan

This plan outlines the research and exploitation strategy for CVE-2026-4091 (OPEN-BRAIN <= 0.5.0), a Cross-Site Request Forgery (CSRF) vulnerability that allows for the injection of malicious scripts (Stored XSS).

1. Vulnerability Summary

The OPEN-BRAIN plugin (versions <= 0.5.0) fails to implement nonce verification in its primary settings management function, func_page_main(). This function handles the processing and saving of plugin configuration. Because it lacks CSRF protection, an attacker can craft a malicious request that, when executed by an authenticated administrator (e.g., via a phishing link), modifies the plugin settings. Furthermore, because these settings are likely rendered back into the admin dashboard without sufficient escaping, this CSRF serves as a vector for Stored Cross-Site Scripting (XSS).

2. Attack Vector Analysis

  • Vulnerable Endpoint: wp-admin/admin.php?page=open-brain (inferred slug).
  • Vulnerable Function: func_page_main().
  • HTTP Method: POST.
  • Authentication Level: Administrator (victim).
  • Payload Carrying Parameter: Inferred setting fields such as open_brain_id, open_brain_key, or any text-based configuration field processed in the $_POST array within func_page_main().
  • Preconditions: An administrator must have an active session and be tricked into submitting a forged request.

3. Code Flow

  1. Registration: The plugin registers an admin menu page via add_menu_page() or add_options_page() in the admin_menu hook, pointing to the callback func_page_main.
  2. Entry Point: When an admin visits the settings page or submits the form, WordPress invokes func_page_main().
  3. Processing:
    • The function checks if $_POST data is present (e.g., if (isset($_POST['submit']))).
    • The Vulnerability: It proceeds to process the input without calling check_admin_referer() or wp_verify_nonce().
  4. Sink: The user-supplied input is passed to update_option().
  5. XSS Trigger: On subsequent loads of the admin page, the malicious value is retrieved via get_option() and echoed into the HTML, triggering the script.

4. Nonce Acquisition Strategy

No nonce is required. The core of this vulnerability is the complete absence of nonce verification in func_page_main(). An attacker does not need to bypass a nonce check; they simply omit it from the forged request.

5. Exploitation Strategy

The goal is to perform a CSRF that updates a setting with a JavaScript payload, achieving Stored XSS.

Step-by-Step Plan:

  1. Discover Parameters: Navigate to the plugin settings page as an admin and identify the exact name attributes of the input fields and the submit button.
  2. Identify Target URL: Confirm the admin page URL (e.g., wp-admin/admin.php?page=open-brain).
  3. Craft the Payload: Use a simple XSS probe: <script>alert(origin)</script>.
  4. Execute Forged Request: Use the http_request tool with administrator cookies to simulate the CSRF attack.

Request Details:

  • URL: http://localhost:8080/wp-admin/admin.php?page=open-brain
  • Method: POST
  • Headers:
    • Content-Type: application/x-www-form-urlencoded
  • Body (Example - keys must be verified):
    open_brain_key=<script>alert(origin)</script>&submit=Save+Changes

6. Test Data Setup

  1. Plugin Installation: Ensure the OPEN-BRAIN plugin (version <= 0.5.0) is active.
  2. Administrative User: A standard WordPress admin user must exist.
  3. No Shortcodes Required: Unlike AJAX-based vulnerabilities, this is a standard admin-post CSRF; it does not rely on frontend script localization.

7. Expected Results

  • The http_request should return a 302 Redirect or a 200 OK indicating the settings were updated.
  • The WordPress database should now contain the XSS payload in the corresponding option.
  • Navigating to the plugin settings page in the browser should trigger a JavaScript alert.

8. Verification Steps

After the http_request, verify the impact using wp-cli:

# Check if the option was updated with the payload
wp option get open_brain_key 
# (Replace 'open_brain_key' with the actual option name found during research)

To verify the XSS via the browser:

  1. Use browser_navigate to http://localhost:8080/wp-admin/admin.php?page=open-brain.
  2. Check for the presence of the script in the page source or use browser_eval to check if a specific global variable was set by your payload.

9. Alternative Approaches

  • Action Hook Hijacking: If the plugin uses admin_post_ or admin_ajax_ instead of a direct menu callback, the target URL would be wp-admin/admin-post.php or wp-admin/admin-ajax.php.
  • Check for $_REQUEST: If the plugin uses $_REQUEST instead of $_POST, the exploit can be delivered via a simple GET request (e.g., <img src="...">), bypassing some browser-level CSRF protections.
  • Blind XSS: If the payload isn't reflected on the settings page, check other admin pages where the plugin settings might be used (e.g., post editors or dashboards).
Research Findings
Static analysis — not yet PoC-verified

Summary

The OPEN-BRAIN plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 0.5.0. This occurs because the main settings page handler fails to perform nonce verification when processing configuration updates, allowing attackers to modify plugin settings or inject malicious scripts via a victim administrator's browser session.

Vulnerable Code

// open-brain.php (inferred location based on func_page_main)
function func_page_main() {
    if (isset($_POST['submit'])) {
        // Vulnerability: No call to check_admin_referer() or wp_verify_nonce()
        $open_brain_id = $_POST['open_brain_id'];
        $open_brain_key = $_POST['open_brain_key'];

        update_option('open_brain_id', $open_brain_id);
        update_option('open_brain_key', $open_brain_key);
    }
    // ... (form rendering logic) ...
}

Security Fix

--- open-brain.php
+++ open-brain.php
@@ -X,X +X,X @@
 function func_page_main() {
     if (isset($_POST['submit'])) {
+        check_admin_referer('open_brain_save_settings');
-        $open_brain_id = $_POST['open_brain_id'];
-        $open_brain_key = $_POST['open_brain_key'];
+        $open_brain_id = sanitize_text_field($_POST['open_brain_id']);
+        $open_brain_key = sanitize_text_field($_POST['open_brain_key']);
 
         update_option('open_brain_id', $open_brain_id);
         update_option('open_brain_key', $open_brain_key);
     }
+    // Inside the HTML form rendering
+    wp_nonce_field('open_brain_save_settings');

Exploit Outline

The exploit targets the plugin settings page (typically at wp-admin/admin.php?page=open-brain). An attacker crafts a malicious HTML page containing a form that auto-submits via POST to the settings URL. The form includes plugin configuration parameters (e.g., 'open_brain_key') populated with a Stored XSS payload like <script>alert(origin)</script>. Since the plugin's func_page_main() function does not check for a WordPress security nonce, the request will be processed successfully if visited by a logged-in administrator. The payload is saved to the database and executed whenever the settings page or other areas utilizing these options are loaded.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/93df6480-9bb1-4f5d-bb39-ff1a01d739cf?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database