What the vulnerability does
01Description
The OPEN-BRAIN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' settings field in all versions up to, and including, 0.5.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() which strips HTML tags but does not encode double quotes or other HTML-special characters needed for safe attribute context output. The API key value is saved via update_option() and later output into an HTML input element's value attribute without esc_attr() escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts via attribute breakout payloads (e.g., double quotes followed by event handlers) that execute whenever a user accesses the plugin settings page.
Explanation of Vulnerability in Simple Terms
02Summary
OPEN-BRAIN versions 0.5.0 and earlier contain a cross-site scripting (XSS) vulnerability that allows an authenticated high-privilege user to inject malicious scripts. The vulnerability has limited scope impact and requires high attack complexity. An attacker with administrative access can craft input that executes in other users' browsers, potentially compromising their sessions or data.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that execute in other users' browsers to steal session data or perform actions on their behalf.
Potential impact on your site
04Site Impact
An admin account compromise could allow script injection affecting other users' sessions and data integrity across the application.
Conditions required to exploit
05Prerequisites
Attacker must have high-level administrative privileges and the attack requires specific technical conditions to succeed.
Key dates
06Disclosure timeline
April 16, 2026
CVE published
April 16, 2026
Record updated