CVE-2026-11551

CRITICAL

The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

CVSS v3.1 Score

9.8

/ 10.0

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Information

Published: 20 juin 2026
Updated: 20 juin 2026
Status: Received
Source: security@wordfence.com

Weaknesses (CWE)

CWE-640

References (3)

https://plugins.trac.wordpress.org/browser/branda-white-labeling/tags/3.4.29/inc/modules/login-screen/signup-password.php#L232
https://plugins.trac.wordpress.org/changeset/3568291/branda-white-labeling/trunk/inc/modules/login-screen/signup-password.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/56f13af3-71b6-42d4-9fda-a75778f32091?source=cve

Similar CVEs

Other vulnerabilities of type CWE-640

Loading…

Monitor your products

Get automatic alerts for every new CVE affecting your equipment.

Enable monitoring