Open Brain

1 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2026-3995 MEDIUM PATCH This Month

Stored cross-site scripting in OPEN-BRAIN WordPress plugin versions up to 0.5.0 allows authenticated administrators to inject malicious scripts via the API Key settings field, which are executed when any user accesses the plugin settings page. The vulnerability stems from improper use of sanitize_text_field() (which does not prevent attribute breakout) combined with missing esc_attr() escaping when outputting the API key to an HTML input value attribute. While exploitation requires administrator-level access, the stored nature means scripts persist and affect all subsequent user interactions with the settings page.

XSS WordPress Open Brain
NVD GitHub VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-3995
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Stored cross-site scripting in OPEN-BRAIN WordPress plugin versions up to 0.5.0 allows authenticated administrators to inject malicious scripts via the API Key settings field, which are executed when any user accesses the plugin settings page. The vulnerability stems from improper use of sanitize_text_field() (which does not prevent attribute breakout) combined with missing esc_attr() escaping when outputting the API key to an HTML input value attribute. While exploitation requires administrator-level access, the stored nature means scripts persist and affect all subsequent user interactions with the settings page.

XSS WordPress Open Brain
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy