[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$faLASEsIBMFcMsGisAaG18_e5PI58PW9_TKBNOvzQp5Q":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"source_links":31},"CVE-2026-4091","open-brain-cross-site-request-forgery","OPEN-BRAIN \u003C= 0.5.0 - Cross-Site Request Forgery","The OPEN-BRAIN plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5.0. This is due to missing nonce verification on the settings form in the func_page_main() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","open-brain",null,"\u003C=0.5.0","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-04-14 19:46:41","2026-04-15 08:28:15",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F93df6480-9bb1-4f5d-bb39-ff1a01d739cf?source=api-prod",[],"researched",false,3,"This plan outlines the research and exploitation strategy for **CVE-2026-4091** (OPEN-BRAIN \u003C= 0.5.0), a Cross-Site Request Forgery (CSRF) vulnerability that allows for the injection of malicious scripts (Stored XSS).\n\n---\n\n### 1. Vulnerability Summary\nThe **OPEN-BRAIN** plugin (versions \u003C= 0.5.0) fails to implement nonce verification in its primary settings management function, `func_page_main()`. This function handles the processing and saving of plugin configuration. Because it lacks CSRF protection, an attacker can craft a malicious request that, when executed by an authenticated administrator (e.g., via a phishing link), modifies the plugin settings. Furthermore, because these settings are likely rendered back into the admin dashboard without sufficient escaping, this CSRF serves as a vector for **Stored Cross-Site Scripting (XSS)**.\n\n### 2. Attack Vector Analysis\n*   **Vulnerable Endpoint:** `wp-admin\u002Fadmin.php?page=open-brain` (inferred slug).\n*   **Vulnerable Function:** `func_page_main()`.\n*   **HTTP Method:** `POST`.\n*   **Authentication Level:** Administrator (victim).\n*   **Payload Carrying Parameter:** Inferred setting fields such as `open_brain_id`, `open_brain_key`, or any text-based configuration field processed in the `$_POST` array within `func_page_main()`.\n*   **Preconditions:** An administrator must have an active session and be tricked into submitting a forged request.\n\n### 3. Code Flow\n1.  **Registration:** The plugin registers an admin menu page via `add_menu_page()` or `add_options_page()` in the `admin_menu` hook, pointing to the callback `func_page_main`.\n2.  **Entry Point:** When an admin visits the settings page or submits the form, WordPress invokes `func_page_main()`.\n3.  **Processing:** \n    *   The function checks if `$_POST` data is present (e.g., `if (isset($_POST['submit']))`).\n    *   **The Vulnerability:** It proceeds to process the input **without** calling `check_admin_referer()` or `wp_verify_nonce()`.\n4.  **Sink:** The user-supplied input is passed to `update_option()`.\n5.  **XSS Trigger:** On subsequent loads of the admin page, the malicious value is retrieved via `get_option()` and echoed into the HTML, triggering the script.\n\n### 4. Nonce Acquisition Strategy\n**No nonce is required.** The core of this vulnerability is the **complete absence** of nonce verification in `func_page_main()`. An attacker does not need to bypass a nonce check; they simply omit it from the forged request.\n\n### 5. Exploitation Strategy\nThe goal is to perform a CSRF that updates a setting with a JavaScript payload, achieving Stored XSS.\n\n**Step-by-Step Plan:**\n\n1.  **Discover Parameters:** Navigate to the plugin settings page as an admin and identify the exact `name` attributes of the input fields and the submit button.\n2.  **Identify Target URL:** Confirm the admin page URL (e.g., `wp-admin\u002Fadmin.php?page=open-brain`).\n3.  **Craft the Payload:** Use a simple XSS probe: `\u003Cscript>alert(origin)\u003C\u002Fscript>`.\n4.  **Execute Forged Request:** Use the `http_request` tool with **administrator cookies** to simulate the CSRF attack.\n\n**Request Details:**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=open-brain`\n*   **Method:** `POST`\n*   **Headers:**\n    *   `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body (Example - keys must be verified):**\n    `open_brain_key=\u003Cscript>alert(origin)\u003C\u002Fscript>&submit=Save+Changes`\n\n### 6. Test Data Setup\n1.  **Plugin Installation:** Ensure the OPEN-BRAIN plugin (version \u003C= 0.5.0) is active.\n2.  **Administrative User:** A standard WordPress admin user must exist.\n3.  **No Shortcodes Required:** Unlike AJAX-based vulnerabilities, this is a standard admin-post CSRF; it does not rely on frontend script localization.\n\n### 7. Expected Results\n*   The `http_request` should return a `302 Redirect` or a `200 OK` indicating the settings were updated.\n*   The WordPress database should now contain the XSS payload in the corresponding option.\n*   Navigating to the plugin settings page in the browser should trigger a JavaScript alert.\n\n### 8. Verification Steps\nAfter the `http_request`, verify the impact using `wp-cli`:\n\n```bash\n# Check if the option was updated with the payload\nwp option get open_brain_key \n# (Replace 'open_brain_key' with the actual option name found during research)\n```\n\nTo verify the XSS via the browser:\n1.  Use `browser_navigate` to `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=open-brain`.\n2.  Check for the presence of the script in the page source or use `browser_eval` to check if a specific global variable was set by your payload.\n\n### 9. Alternative Approaches\n*   **Action Hook Hijacking:** If the plugin uses `admin_post_` or `admin_ajax_` instead of a direct menu callback, the target URL would be `wp-admin\u002Fadmin-post.php` or `wp-admin\u002Fadmin-ajax.php`. \n*   **Check for `$_REQUEST`:** If the plugin uses `$_REQUEST` instead of `$_POST`, the exploit can be delivered via a simple `GET` request (e.g., `\u003Cimg src=\"...\">`), bypassing some browser-level CSRF protections.\n*   **Blind XSS:** If the payload isn't reflected on the settings page, check other admin pages where the plugin settings might be used (e.g., post editors or dashboards).","The OPEN-BRAIN plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 0.5.0. This occurs because the main settings page handler fails to perform nonce verification when processing configuration updates, allowing attackers to modify plugin settings or inject malicious scripts via a victim administrator's browser session.","\u002F\u002F open-brain.php (inferred location based on func_page_main)\nfunction func_page_main() {\n    if (isset($_POST['submit'])) {\n        \u002F\u002F Vulnerability: No call to check_admin_referer() or wp_verify_nonce()\n        $open_brain_id = $_POST['open_brain_id'];\n        $open_brain_key = $_POST['open_brain_key'];\n\n        update_option('open_brain_id', $open_brain_id);\n        update_option('open_brain_key', $open_brain_key);\n    }\n    \u002F\u002F ... (form rendering logic) ...\n}","--- open-brain.php\n+++ open-brain.php\n@@ -X,X +X,X @@\n function func_page_main() {\n     if (isset($_POST['submit'])) {\n+        check_admin_referer('open_brain_save_settings');\n-        $open_brain_id = $_POST['open_brain_id'];\n-        $open_brain_key = $_POST['open_brain_key'];\n+        $open_brain_id = sanitize_text_field($_POST['open_brain_id']);\n+        $open_brain_key = sanitize_text_field($_POST['open_brain_key']);\n \n         update_option('open_brain_id', $open_brain_id);\n         update_option('open_brain_key', $open_brain_key);\n     }\n+    \u002F\u002F Inside the HTML form rendering\n+    wp_nonce_field('open_brain_save_settings');","The exploit targets the plugin settings page (typically at wp-admin\u002Fadmin.php?page=open-brain). An attacker crafts a malicious HTML page containing a form that auto-submits via POST to the settings URL. The form includes plugin configuration parameters (e.g., 'open_brain_key') populated with a Stored XSS payload like \u003Cscript>alert(origin)\u003C\u002Fscript>. Since the plugin's func_page_main() function does not check for a WordPress security nonce, the request will be processed successfully if visited by a logged-in administrator. The payload is saved to the database and executed whenever the settings page or other areas utilizing these options are loaded.","gemini-3-flash-preview","2026-04-16 15:40:09","2026-04-16 15:40:26",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fopen-brain\u002Ftags"]