Description
The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Published: 2026-01-02
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Unauthenticated Password Change
Action: Patch
AI Analysis

Impact

The Branda WordPress plugin allows a non‑authenticated attacker to change the passwords of any user on the site, including administrators, because it fails to verify the requester's identity before performing a password update. This flaw creates an account takeover vector that can be used to acquire full access to the site with the privileges of the chosen account.

Affected Systems

This vulnerability is present in every release of the Branda – White Label & Branding, Free Login Page Customizer plugin from wpmudev up to and including version 3.4.24.

Risk and Exploitability

The CVSS score of 9.8 classifies the flaw as critical, and the EPSS score of less than 1% indicates a very low current exploitation probability. The bug is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote via the web interface, where an unauthenticated user can trigger the plugin’s password‑reset logic through standard HTTP requests to public endpoints.

Generated by OpenCVE AI on April 21, 2026 at 00:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Branda plugin to a version newer than 3.4.24, if an update has been released.
  • If an update cannot be applied immediately, temporarily disable or uninstall the Branda plugin and restore the site’s default login pages.
  • Block external requests to URLs that invoke the plugin’s password‑reset actions—such as /wp-admin/admin-ajax.php with relevant actions—using a web‑application firewall or host‑based rules.
  • Enable two‑factor authentication for all administrator accounts to mitigate the impact of a potential takeover.

Generated by OpenCVE AI on April 21, 2026 at 00:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 06 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpmudev
Wpmudev branda
Vendors & Products Wordpress
Wordpress wordpress
Wpmudev
Wpmudev branda

Fri, 02 Jan 2026 02:30:00 +0000

Type Values Removed Values Added
Description The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Title Branda – White Label & Branding, Free Login Page Customizer <= 3.4.24 - Unauthenticated Privilege Escalation via Account Takeover
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Wpmudev Branda
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:21.481Z

Reserved: 2025-12-20T15:01:44.895Z

Link: CVE-2025-14998

cve-icon Vulnrichment

Updated: 2026-01-05T20:33:42.800Z

cve-icon NVD

Status : Deferred

Published: 2026-01-02T03:15:50.940

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14998

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:45:23Z

Weaknesses