Stored Cross-Site Scripting Vulnerability in OPEN-BRAIN Plugin for WordPress
CVE-2026-3995

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Open-brain
Vendor: CVE Published:; 16 April 2026

What is CVE-2026-3995?

The OPEN-BRAIN plugin for WordPress contains a vulnerability that allows authenticated attackers with Administrator-level access to exploit the 'API Key' settings field due to inadequate input sanitization. The plugin relies on sanitize_text_field() to remove HTML tags but fails to adequately encode other special characters, leading to potential XSS attacks. As a result, when the API key is stored via update_option() and later rendered within an HTML input element without proper escaping, malicious scripts could be injected. This occurs whenever a user visits the plugin settings page, potentially compromising site security.

Affected Version(s)

OPEN-BRAIN 0 <= 0.5.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/open-brain/tru...

https://plugins.trac.wordpress.org/browser/open-brain/tag...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Mar 11, 2026

Credit

Muhammad Nur Ibnu Hubab

CVE-2026-3995 Data

JSON