CVE-2026-4091 Overview
The OPEN-BRAIN plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] affecting all versions up to and including 0.5.0. The flaw stems from missing nonce verification on the settings form handled by the func_page_main() function. Unauthenticated attackers can craft a forged request that, when triggered by an authenticated administrator, injects malicious web scripts into plugin settings. Exploitation requires social engineering, typically tricking an administrator into clicking a malicious link while authenticated to the target site.
Critical Impact
Successful exploitation allows attackers to modify plugin settings and inject malicious scripts that execute in the context of the WordPress administrator session.
Affected Products
- OPEN-BRAIN plugin for WordPress, all versions through 0.5.0
- WordPress sites with OPEN-BRAIN installed and active
- Administrator accounts authenticated to vulnerable installations
Discovery Timeline
- 2026-04-15 - CVE CVE-2026-4091 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-4091
Vulnerability Analysis
The OPEN-BRAIN plugin processes administrative settings through the func_page_main() function without validating a WordPress nonce token. Nonce verification is the standard WordPress mechanism for confirming that a state-changing request originated from a legitimate user session rather than a third-party site. Without this check, any HTTP request reaching the settings handler with a valid administrator cookie is treated as authorized.
An attacker hosts a malicious page containing an auto-submitting form or JavaScript that targets the plugin settings endpoint. When an authenticated administrator visits the attacker-controlled page, the browser submits the forged request using the administrator's session cookies. The plugin accepts the input and persists attacker-controlled values, which can include script payloads rendered later in the admin interface.
Root Cause
The root cause is the absence of wp_verify_nonce() and check_admin_referer() calls in the settings handler. WordPress provides these functions specifically to bind form submissions to user sessions. The referenced source lines at index.php#L237, L252, L253, and L272 show the settings processing logic operating directly on $_POST data without origin validation.
Attack Vector
Exploitation proceeds over the network and requires user interaction from a privileged victim. The attacker prepares a webpage with a hidden form posting to the OPEN-BRAIN settings endpoint of the target WordPress site. The attacker delivers the link through phishing, forum posts, or other social channels. When the administrator loads the page while logged into WordPress, the browser submits the forged settings update, and the plugin stores the attacker-supplied content. Stored script payloads then execute when administrators view affected plugin pages.
No verified public proof-of-concept code is available. Technical details are documented in the Wordfence Vulnerability Report and the WordPress Plugin Code Reference.
Detection Methods for CVE-2026-4091
Indicators of Compromise
- Unexpected modifications to OPEN-BRAIN plugin settings in the wp_options table without corresponding administrator activity logs
- HTTP POST requests to the OPEN-BRAIN settings endpoint with Referer headers pointing to external domains
- Script tags, onerror handlers, or javascript: URIs present in stored plugin configuration values
- Administrator session activity originating shortly after the user clicked an external link
Detection Strategies
- Monitor web server access logs for POST requests to wp-admin/admin.php containing OPEN-BRAIN page parameters from external referrers
- Audit wp_options entries associated with the OPEN-BRAIN plugin for HTML or script content
- Deploy a Web Application Firewall (WAF) rule that blocks state-changing requests to plugin admin pages lacking a valid nonce parameter
- Review WordPress audit logs for settings changes that do not correlate with interactive administrator sessions
Monitoring Recommendations
- Enable verbose logging on the WordPress admin interface and forward events to a centralized SIEM for correlation
- Alert on cross-origin POST requests to /wp-admin/ endpoints from authenticated administrator sessions
- Track plugin file integrity and configuration drift on a recurring schedule
- Monitor administrator browsing telemetry for navigation to untrusted external sites immediately preceding settings changes
How to Mitigate CVE-2026-4091
Immediate Actions Required
- Deactivate the OPEN-BRAIN plugin until a patched release is available
- Restrict WordPress administrator accounts to dedicated browsers or sessions that are not used for general browsing
- Enforce two-step verification on all administrator accounts to limit downstream impact of session abuse
- Review plugin configuration values and remove any unexpected script content
Patch Information
No vendor-supplied patch is referenced in the published advisory at the time of NVD publication. Track the Wordfence Vulnerability Report and the plugin's WordPress.org listing for an updated release that adds nonce verification to func_page_main().
Workarounds
- Remove the OPEN-BRAIN plugin entirely if it is not business-critical
- Apply WAF virtual patching rules that require a valid _wpnonce parameter on requests to the plugin's admin pages
- Limit administrative access to a hardened management network or jump host
- Train administrators to log out of WordPress before browsing untrusted links
# Example WAF rule (ModSecurity) blocking OPEN-BRAIN settings POSTs without a nonce
SecRule REQUEST_METHOD "@streq POST" \
"chain,id:1004091,phase:2,deny,status:403,msg:'CVE-2026-4091 CSRF block'"
SecRule REQUEST_URI "@contains /wp-admin/admin.php" \
"chain"
SecRule ARGS:page "@rx open-brain" \
"chain"
SecRule &ARGS:_wpnonce "@eq 0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

