CVE-2026-3995

Name of the Vulnerable Software and Affected Versions OPEN-BRAIN plugin for WordPress versions prior to 0.5.1

Description Stored Cross-Site Scripting occurs via the 'API Key' settings field due to insufficient input sanitization and output escaping. The plugin utilizes the sanitize text field() function, which removes HTML tags but fails to encode double quotes or other HTML-special characters required for safe attribute context output. The API key value is saved using update option() and subsequently output into an HTML input element's value attribute without esc attr() escaping. This allows authenticated attackers with Administrator-level access to inject arbitrary web scripts using attribute breakout payloads, such as double quotes followed by event handlers, which execute when a user visits the plugin settings page.

Recommendations Update the plugin to a version later than 0.5.0. As a temporary workaround, avoid entering special characters or double quotes in the 'API Key' settings field.