Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Remote HTTP endpoint, no auth or interaction, and trivial request flips any account's password - yielding full confidentiality, integrity, and availability impact on the WordPress site.
Primary rating from Vendor (wordfence).
CVSS VectorVendor: wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
AnalysisAI
Unauthenticated account takeover in the Branda (white-labeling) plugin for WordPress through version 3.4.29 allows remote attackers to reset arbitrary user passwords, including administrators, by abusing a password update flow that fails to verify the requester's identity. Wordfence-reported flaw is tracked as CVE-2026-11551 with a CVSS 9.8; no public exploit identified at time of analysis, but the trivial exploitability of the vulnerable signup-password module makes weaponization straightforward once the patched code is diffed.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the Branda (branda-white-labeling) plugin be installed and active at version 3.4.29 or earlier, and that the plugin's login-screen / signup-password module be enabled so its password-update handler in inc/modules/login-screen/signup-password.php is reachable over HTTP(S). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals point to a true critical: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H describes a network-reachable, low-complexity, unauthenticated, no-user-interaction flaw with full CIA impact on the target site, which aligns with the description of unauthenticated password reset against any account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker enumerates a WordPress site running Branda (visible via login-screen branding or plugin asset paths), then issues a crafted POST to the Branda signup-password endpoint specifying the administrator's user_id (or username) and a new password of their choice. Because the handler never validates that the requester owns the targeted account, the password is overwritten, and the attacker logs in to /wp-admin as that administrator and installs a malicious plugin or PHP backdoor for persistence. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - the wordpress.org plugin trac changeset 3568291 (https://plugins.trac.wordpress.org/changeset/3568291/branda-white-labeling/trunk/inc/modules/login-screen/signup-password.php) corrects the signup-password handler, so administrators should update Branda to the first release that incorporates that changeset (any version strictly greater than 3.4.29) as soon as it is published on wordpress.org and confirmed via the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/56f13af3-71b6-42d4-9fda-a75778f32091. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Disable or remove Branda plugin version 3.4.29 and earlier from all WordPress installations; enable multi-factor authentication (MFA) on all administrator accounts as emergency control. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The SureTriggers WordPress plugin through version 1.0.78 contains an authentication bypass due to a missing empty value
The HUSKY Products Filter Professional for WooCommerce plugin through version 1.3.6.5 contains a critical Local File Inc
The User Registration & Membership WordPress plugin before version 4.1.2 fails to prevent users from setting their accou
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 thr
SQL injection in LearnPress LMS plugin for WordPress (versions ≤ 4.2.7) allows unauthenticated remote attackers to injec
PHP Object Injection in the Better Search Replace WordPress plugin (versions up to and including 1.4.4) allows remote un
The Pie Register WordPress plugin versions up to 3.7.1.4 contain an authentication bypass that allows unauthenticated at
The AIT CSV Import/Export WordPress plugin through version 3.0.3 allows unauthorized arbitrary file uploads without file
The StoryChief WordPress plugin through version 1.0.42 contains an unauthenticated arbitrary file upload via the /wp-jso
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38097
GHSA-r464-rgh8-qf85