Description
The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Published: 2026-06-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Branda plugin for WordPress contains a flaw that allows an attacker to change any user’s password without authentication. This lack of identity verification during password updates enables an unauthenticated attacker to take over administrative accounts, effectively gaining full control of the site. The vulnerability is a classic account‑takeover flaw, classified as CWE‑640.

Affected Systems

WordPress sites using versions of the Branda – White Label & Branding, Free Login Page Customizer plugin up to and including 3.4.29 are potentially exposed. The issue is present in all earlier releases of the plugin where the password update path lacks proper user validation.

Risk and Exploitability

With a CVSS score of 9.8, the vulnerability is considered critical. Because the attack can be performed without authentication, the exploitation risk is high, although the EPSS score is not available. The lack of mitigation in the affected plugin versions means that any site with an old Branda plugin can be compromised easily if an attacker finds a way to reach the password update endpoint. The vulnerability is not listed in the CISA KEV catalog yet, but its severity and unauthenticated nature warrant immediate attention.

Generated by OpenCVE AI on June 20, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Branda plugin to the latest version (3.4.30 or later) where the password update logic validates the user’s identity before changing the password.
  • If an upgrade is not feasible, locate and remove the Branda plugin from the site to eliminate the attack vector.
  • Ensure that user accounts, especially administrators, have strong, unique passwords and consider enabling two‑factor authentication to guard against account takeover attempts.

Generated by OpenCVE AI on June 20, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpmudev
Wpmudev branda White Label Wordpress Custom Login Page Customizer
Vendors & Products Wordpress
Wordpress wordpress
Wpmudev
Wpmudev branda White Label Wordpress Custom Login Page Customizer

Tue, 23 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 19 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Title Branda – White Label & Branding, Free Login Page Customizer <= 3.4.29 - Unauthenticated Privilege Escalation via Account Takeover
Weaknesses CWE-640
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Wordpress Wordpress
Wpmudev Branda White Label Wordpress Custom Login Page Customizer
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-23T02:27:54.179Z

Reserved: 2026-06-08T05:16:38.024Z

Link: CVE-2026-11551

cve-icon Vulnrichment

Updated: 2026-06-23T02:27:49.615Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:30:04Z

Weaknesses
  • CWE-640

    Weak Password Recovery Mechanism for Forgotten Password