We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

OPEN-BRAIN Plugin Vulnerability (CVE-2026-4091)

Nick Paliughi
On this page

Security Alert Summary

The OPEN-BRAIN WordPress plugin is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 0.5.0. The vulnerability is caused by missing nonce verification on the settings form in the func_page_main() function, which could allow an attacker to submit forged requests that inject malicious web scripts if they can trick a site administrator into performing an action such as clicking a link.

CVE Details

  • CVE ID: CVE-2026-4091
  • Affected component: OPEN-BRAIN plugin for WordPress
  • Affected versions: All versions up to and including 0.5.0
  • Published: April 15, 2026 at 9:16:33 AM UTC
  • Last modified: April 15, 2026 at 9:16:33 AM UTC
  • CVSS v3.1: Base Score 6.1, MEDIUM

    Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • Authentication / privileges / user interaction: No privileges required (PR:N); user interaction required (UI:R)
  • Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
  • CWE: CWE-352 (Cross-Site Request Forgery)

Technical Details

The vulnerability is a Cross-Site Request Forgery (CWE-352) caused by missing nonce verification on the plugin’s settings form. The problematic code path is in the func_page_main() function, where form submissions are processed without validating a WordPress nonce. Because the nonce check is absent, an attacker can craft a forged request that, if an authenticated administrator completes an action (for example by clicking a link), will be accepted by the site and processed by the plugin.

The CVE description specifically notes the lack of nonce verification on the settings form in func_page_main(). The practical effect described is that this allows an attacker to inject malicious web scripts via a forged request. The impact is limited to the confidentiality and integrity categories at a low level and does not directly affect availability per the provided CVSS data.

How This Could Impact Your Website

In a typical scenario, a site owner runs the OPEN-BRAIN plugin and has multiple users with different roles: administrators, editors, and external contractors or contributors. An attacker could send a crafted link to an administrator or embed that link in a web page. If the administrator interacts with the link while logged into the WordPress admin, the forged request could execute in the context of the administrator’s session and cause the plugin to perform unintended actions.

Possible practical consequences include limited disclosure of low-sensitivity data or unauthorized modification of plugin settings that affect how content or integration features behave. Such changes could increase the risk of targeted phishing or social engineering by exposing internal user information or changing content behavior used in communications with users.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributor- and editor-level accounts with access to plugin settings.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site and admin activity logs for unusual behavior, especially actions affecting plugin settings.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
Quick Interest Slider Plugin Vulnerability (CVE-2026-5694)
Next Post
Advanced Custom Fields (ACF) Plugin Vulnerability (CVE-2026-4812)