Vulnerabilities ›

CVE-2026-4091

Medium

CWE-352 — Weakness Type

                    Published: Apr 15, 2026                      ·  Modified: Apr 18, 2026                      ·  Source: NVD                

CVSS v3

6.1

🔗 NVD Official

📄 Description (English)

The OPEN-BRAIN plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5.0. This is due to missing nonce verification on the settings form in the func_page_main() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

🤖 AI Executive Summary

The OPEN-BRAIN WordPress plugin versions up to 0.5.0 contains a Cross-Site Request Forgery vulnerability due to missing nonce verification in the settings form. Unauthenticated attackers can exploit this to inject malicious scripts if they trick administrators into clicking a malicious link.

📄 Description (Arabic)

إضافة OPEN-BRAIN لـ WordPress تحتوي على ثغرة CSRF في دالة func_page_main() بسبب غياب التحقق من nonce. يمكن للمهاجمين غير المصرحين استغلال هذه الثغرة لحقن نصوص برمجية ضارة عند خداع مسؤول الموقع. الثغرة تؤثر على جميع الإصدارات حتى 0.5.0.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 23, 2026 05:17

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

government healthcare banking

🎯 MITRE ATT&CK Techniques

T1548 T1566

⚖️ Saudi Risk Score (AI)

6.0

/ 10.0

🔧 Remediation Steps (English)

Update the OPEN-BRAIN plugin to version 0.5.1 or later immediately. Implement proper nonce verification on all settings forms. Restrict access to plugin settings to authenticated administrators only. Monitor for suspicious administrative actions and review recent plugin configuration changes.

🔧 خطوات المعالجة (العربية)

قم بتحديث إضافة OPEN-BRAIN إلى الإصدار 0.5.1 أو أحدث فوراً. طبق التحقق الصحيح من nonce على جميع نماذج الإعدادات. قيد الوصول إلى إعدادات الإضافة للمسؤولين المصرحين فقط. راقب الإجراءات الإدارية المريبة وراجع تغييرات إعدادات الإضافة الأخيرة.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

8.1.1 8.2.1

🔵 SAMA CSF

AC-3 AC-6

🟡 ISO 27001:2022

A.9.2.1 A.9.4.3

🔗 References & Sources 9

🔗

https://plugins.trac.wordpress.org/browser/open-brain/tags/0.5.0/index.php#L237

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/open-brain/tags/0.5.0/index.php#L252

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/open-brain/tags/0.5.0/index.php#L253

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/open-brain/tags/0.5.0/index.php#L272

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/open-brain/trunk/index.php#L237

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/open-brain/trunk/index.php#L252

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/open-brain/trunk/index.php#L253

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/open-brain/trunk/index.php#L272

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/93df6480-9bb1-4f5d-bb39-ff1a0...

security@wordfence.com

📊 CVSS Score

6.1

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionR — Required

ScopeC — Changed

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score6.1

CWECWE-352

EPSS0.03%

Exploit No

Patch ✗ No

Published 2026-04-15

Source Feed nvd

🇸🇦 Saudi Risk Score

6.0

/ 10.0 — Saudi Risk

Priority: MEDIUM

🏷️ Tags

CWE-352

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-4091

Introduce Yourself

Sign In Required