{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3995", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-11T17:04:22.771Z", "datePublished": "2026-04-16T06:44:51.340Z", "dateUpdated": "2026-04-16T12:04:24.073Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-16T06:44:51.340Z"}, "affected": [{"vendor": "faridsaniee", "product": "OPEN-BRAIN", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.5.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The OPEN-BRAIN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' settings field in all versions up to, and including, 0.5.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() which strips HTML tags but does not encode double quotes or other HTML-special characters needed for safe attribute context output. The API key value is saved via update_option() and later output into an HTML input element's value attribute without esc_attr() escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts via attribute breakout payloads (e.g., double quotes followed by event handlers) that execute whenever a user accesses the plugin settings page."}], "title": "OPEN-BRAIN <= 0.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'API Key' Setting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3fe3fa95-cc1d-469b-8a97-37987b9ae362?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/open-brain/trunk/index.php#L272"}, {"url": "https://plugins.trac.wordpress.org/browser/open-brain/tags/0.5.0/index.php#L272"}, {"url": "https://plugins.trac.wordpress.org/browser/open-brain/trunk/index.php#L252"}, {"url": "https://plugins.trac.wordpress.org/browser/open-brain/tags/0.5.0/index.php#L252"}, {"url": "https://plugins.trac.wordpress.org/browser/open-brain/trunk/index.php#L253"}, {"url": "https://plugins.trac.wordpress.org/browser/open-brain/tags/0.5.0/index.php#L253"}, {"url": "https://plugins.trac.wordpress.org/browser/open-brain/trunk/index.php#L128"}, {"url": "https://plugins.trac.wordpress.org/browser/open-brain/tags/0.5.0/index.php#L128"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2026-04-15T17:42:29.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T11:11:56.355411Z", "id": "CVE-2026-3995", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:04:24.073Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3995", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T11:11:56.355411Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T11:12:03.420Z"}}], "cna": {"title": "OPEN-BRAIN <= 0.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'API Key' Setting", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "faridsaniee", "product": "OPEN-BRAIN", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.5.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-15T17:42:29.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3fe3fa95-cc1d-469b-8a97-37987b9ae362?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/open-brain/trunk/index.php#L272"}, {"url": "https://plugins.trac.wordpress.org/browser/open-brain/tags/0.5.0/index.php#L272"}, {"url": "https://plugins.trac.wordpress.org/browser/open-brain/trunk/index.php#L252"}, {"url": "https://plugins.trac.wordpress.org/browser/open-brain/tags/0.5.0/index.php#L252"}, {"url": "https://plugins.trac.wordpress.org/browser/open-brain/trunk/index.php#L253"}, {"url": "https://plugins.trac.wordpress.org/browser/open-brain/tags/0.5.0/index.php#L253"}, {"url": "https://plugins.trac.wordpress.org/browser/open-brain/trunk/index.php#L128"}, {"url": "https://plugins.trac.wordpress.org/browser/open-brain/tags/0.5.0/index.php#L128"}], "descriptions": [{"lang": "en", "value": "The OPEN-BRAIN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' settings field in all versions up to, and including, 0.5.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() which strips HTML tags but does not encode double quotes or other HTML-special characters needed for safe attribute context output. The API key value is saved via update_option() and later output into an HTML input element's value attribute without esc_attr() escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts via attribute breakout payloads (e.g., double quotes followed by event handlers) that execute whenever a user accesses the plugin settings page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-16T06:44:51.340Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3995", "state": "PUBLISHED", "dateUpdated": "2026-04-16T12:04:24.073Z", "dateReserved": "2026-03-11T17:04:22.771Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-16T06:44:51.340Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The OPEN-BRAIN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' settings field in all versions up to, and including, 0.5.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() which strips HTML tags but does not encode double quotes or other HTML-special characters needed for safe attribute context output. The API key value is saved via update_option() and later output into an HTML input element's value attribute without esc_attr() escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts via attribute breakout payloads (e.g., double quotes followed by event handlers) that execute whenever a user accesses the plugin settings page."}], "id": "CVE-2026-3995", "lastModified": "2026-04-22T20:22:50.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-16T07:16:30.503", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/open-brain/tags/0.5.0/index.php#L128"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/open-brain/tags/0.5.0/index.php#L252"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/open-brain/tags/0.5.0/index.php#L253"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/open-brain/tags/0.5.0/index.php#L272"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/open-brain/trunk/index.php#L128"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/open-brain/trunk/index.php#L252"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/open-brain/trunk/index.php#L253"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/open-brain/trunk/index.php#L272"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3fe3fa95-cc1d-469b-8a97-37987b9ae362?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.5.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "OPEN-BRAIN", "source": "cna", "vendor": "faridsaniee"}, "product": "open-brain", "vendor": "faridsaniee"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-17T05:54:07.364803+00:00", "value": {"mitigation_remediation": ["Update the OPEN\u2011BRAIN plugin to the latest available vendor\u2011released version.", "If an upgrade cannot be performed immediately, disable editing of the API key field for all roles or remove the field entirely to eliminate the injection vector.", "Monitor site logs for unusual script injection attempts and restrict or block administrative access as a temporary measure."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All instances of the OPEN\u2011BRAIN plugin for WordPress with versions up to and including 0.5.0, delivered by the vendor faridsaniee:OPEN\u2011BRAIN. No published fix version is indicated, so any deployment of these versions is potentially vulnerable.", "description_and_impact": "The OPEN\u2011BRAIN WordPress plugin contains a stored cross\u2011site scripting flaw that arises from an insufficient sanitization routine for the 'API Key' setting field. The plugin calls sanitize_text_field() which removes HTML tags but leaves double quotes and other special characters intact, and later outputs the value into an input element\u2019s value attribute without esc_attr() escaping. An administrator\u2011level user can therefore inject an attribute\u2011breakout payload such as a double quote followed by an event handler, which will be executed whenever any user opens the plugin settings page, potentially allowing the execution of arbitrary scripts in the victim\u2019s browser context.", "risk_and_exploitability": "The vulnerability has a CVSS score of 4.4, reflecting a moderate severity. EPSS Score is <1% and it is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack can be carried out only by authenticated users with Administrator privileges, who can access the settings page, inject the payload, and trigger its execution on subsequent visits by other users. Because unauthenticated users cannot inject the payload, the risk is confined to environments where the attacker can obtain admin credentials or social\u2011engineer an admin user."}}}}, "created": "2026-04-16T09:11:39.404777+00:00", "updated": "2026-04-17T06:00:09.279319+00:00", "vendors": ["faridsaniee", "faridsaniee$PRODUCT$open-brain", "wordpress", "wordpress$PRODUCT$wordpress"]}