Skip to main content

Branda Plugin CVE-2026-11551

| EUVDEUVD-2026-38097 CRITICAL
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
2026-06-20 security@wordfence.com GHSA-r464-rgh8-qf85
9.8
CVSS 3.1 · Vendor: wordfence
Share

Severity by source

Vendor (wordfence) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Remote HTTP endpoint, no auth or interaction, and trivial request flips any account's password - yielding full confidentiality, integrity, and availability impact on the WordPress site.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (wordfence).

CVSS VectorVendor: wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 20, 2026 - 00:48 vuln.today
CVE Published
Jun 20, 2026 - 00:16 nvd
CRITICAL 9.8

DescriptionCVE.org

The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

AnalysisAI

Unauthenticated account takeover in the Branda (white-labeling) plugin for WordPress through version 3.4.29 allows remote attackers to reset arbitrary user passwords, including administrators, by abusing a password update flow that fails to verify the requester's identity. Wordfence-reported flaw is tracked as CVE-2026-11551 with a CVSS 9.8; no public exploit identified at time of analysis, but the trivial exploitability of the vulnerable signup-password module makes weaponization straightforward once the patched code is diffed.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify WordPress site running Branda ≤3.4.29
Delivery
Enumerate target admin username/user_id
Exploit
POST crafted password-update to signup-password endpoint
Install
Plugin overwrites admin password without identity check
C2
Log in to /wp-admin as administrator
Execute
Upload malicious plugin or theme for RCE
Impact
Full site compromise and persistence

Vulnerability AssessmentAI

Exploitation Exploitation requires that the Branda (branda-white-labeling) plugin be installed and active at version 3.4.29 or earlier, and that the plugin's login-screen / signup-password module be enabled so its password-update handler in inc/modules/login-screen/signup-password.php is reachable over HTTP(S). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to a true critical: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H describes a network-reachable, low-complexity, unauthenticated, no-user-interaction flaw with full CIA impact on the target site, which aligns with the description of unauthenticated password reset against any account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker enumerates a WordPress site running Branda (visible via login-screen branding or plugin asset paths), then issues a crafted POST to the Branda signup-password endpoint specifying the administrator's user_id (or username) and a new password of their choice. Because the handler never validates that the requester owns the targeted account, the password is overwritten, and the attacker logs in to /wp-admin as that administrator and installs a malicious plugin or PHP backdoor for persistence. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - the wordpress.org plugin trac changeset 3568291 (https://plugins.trac.wordpress.org/changeset/3568291/branda-white-labeling/trunk/inc/modules/login-screen/signup-password.php) corrects the signup-password handler, so administrators should update Branda to the first release that incorporates that changeset (any version strictly greater than 3.4.29) as soon as it is published on wordpress.org and confirmed via the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/56f13af3-71b6-42d4-9fda-a75778f32091. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable or remove Branda plugin version 3.4.29 and earlier from all WordPress installations; enable multi-factor authentication (MFA) on all administrator accounts as emergency control. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2025-3102 HIGH POC
8.1 Apr 10

The SureTriggers WordPress plugin through version 1.0.78 contains an authentication bypass due to a missing empty value

CVE-2025-1661 CRITICAL POC
9.8 Mar 11

The HUSKY Products Filter Professional for WooCommerce plugin through version 1.3.6.5 contains a critical Local File Inc

CVE-2025-2563 HIGH POC
8.1 Apr 14

The User Registration & Membership WordPress plugin before version 4.1.2 fails to prevent users from setting their accou

CVE-2025-13486 CRITICAL POC
9.8 Dec 03

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 thr

CVE-2024-8522 CRITICAL POC
10.0 Sep 12

SQL injection in LearnPress LMS plugin for WordPress (versions ≤ 4.2.7) allows unauthenticated remote attackers to injec

CVE-2023-6933 HIGH POC
8.8 Feb 05

PHP Object Injection in the Better Search Replace WordPress plugin (versions up to and including 1.4.4) allows remote un

CVE-2025-34077 CRITICAL POC
10.0 Jul 09

The Pie Register WordPress plugin versions up to 3.7.1.4 contain an authentication bypass that allows unauthenticated at

CVE-2020-36849 CRITICAL POC
9.8 Jul 12

The AIT CSV Import/Export WordPress plugin through version 3.0.3 allows unauthorized arbitrary file uploads without file

CVE-2025-7441 CRITICAL POC
9.8 Aug 16

The StoryChief WordPress plugin through version 1.0.42 contains an unauthenticated arbitrary file upload via the /wp-jso

Share

CVE-2026-11551 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy