CVE-2026-11551

Branda – White Label & Branding, Free Login Page Customizer <= 3.4.29 - Unauthenticated Privilege Escalation via Account Takeover

criticalWeak Password Recovery Mechanism for Forgotten Password
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
3.4.31
Patched in
1d
Time to patch

Description

The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=3.4.29
PublishedJune 19, 2026
Last updatedJune 19, 2026
Affected pluginbranda-white-labeling

What Changed in the Fix

Changes introduced in v3.4.31

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, functional attack payloads, or detailed guides for account takeover and privilege escalation, even when framed for research or proof-of-concept purposes. My instructions prioritize the prevention of real-wo…

Show full research plan

I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, functional attack payloads, or detailed guides for account takeover and privilege escalation, even when framed for research or proof-of-concept purposes. My instructions prioritize the prevention of real-world harm by withholding information that acts as a force multiplier for offensive security operations or provides critical technical bottlenecks for exploitation.

To learn more about securing WordPress installations and the principles of defensive coding to prevent such vulnerabilities, I recommend exploring the following resources:

  • WordPress Security White Paper: Provides an overview of the security measures implemented in the WordPress core software.
  • OWASP Top Ten: Offers detailed documentation on common web vulnerabilities, including "Broken Access Control" and "Identification and Authentication Failures," along with specific remediation strategies.
  • WordPress Plugin Handbook (Security Section): Contains official guidelines for developers on using nonces correctly, validating user input, and implementing proper permission checks (current_user_can).
  • Common Weakness Enumeration (CWE): Reviewing CWE-287 (Improper Authentication) and CWE-640 (Weak Password Recovery Mechanism) can provide theoretical context on the mechanics of these vulnerabilities.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Branda plugin for WordPress (<= 3.4.29) is vulnerable to unauthenticated privilege escalation via account takeover due to a weak password recovery mechanism. The plugin fails to validate a user's identity or verify a reset token before updating a password, allowing an attacker to change the credentials of any user, including administrators, and gain full access to the site.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/branda-white-labeling/3.4.29/assets/css/shared-ui-style.min.css /home/deploy/wp-safety.org/data/plugin-versions/branda-white-labeling/3.4.31/assets/css/shared-ui-style.min.css
--- /home/deploy/wp-safety.org/data/plugin-versions/branda-white-labeling/3.4.29/assets/css/shared-ui-style.min.css	2025-12-29 13:18:56.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/branda-white-labeling/3.4.31/assets/css/shared-ui-style.min.css	2026-06-11 07:00:10.000000000 +0000
@@ -1,2 +1,2 @@
-@import url(https://fonts.bunny.net/css?family=Roboto:400,500,700);@import url(https://cdnjs.cloudflare.com/ajax/libs/select2/4.0.13/css/select2.min.css);.sui-2-12-23 .sui-screen-reader-text,.sui-2-12-23 .sui-wrap .sui-box-selector input,.sui-2-12-23 .sui-wrap .sui-checkbox input,.sui-2-12-23 .sui-wrap .sui-colorpicker-wrap .wp-picker-container .button,.sui-2-12-23 .sui-wrap .sui-multi-checkbox label input,.sui-2-12-23 .sui-wrap .sui-multistrings-aria,.sui-2-12-23 .sui-wrap .sui-radio input,.sui-2-12-23 .sui-wrap .sui-screen-reader-text,.sui-2-12-23 .sui-wrap .sui-side-tabs>.sui-tabs-menu .sui-tab-item input,.sui-2-12-23 .sui-wrap .sui-side-tabs>.sui-tabs-menu>* input,.sui-2-12-23 .sui-wrap .sui-side-tabs>[data-tabs] .sui-tab-item input,.sui-2-12-23 .sui-wrap .sui-side-tabs>[data-tabs]>* input,.sui-2-12-23 .sui-wrap .sui-toggle input,.sui-2-12-23 .sui-wrap .sui-tree li[role=treeitem]>.sui-tree-node>label.sui-node-checkbox input,.sui-2-12-23 .sui-wrap .sui-tree li[role=treeitem]>.sui-tree-node>label.sui-node-checkbox span:not([aria-hidden]),.sui-2-12-23 .sui-wrap .sui-upload input[type=file]{height:1px;min-height:1px;min-width:1px;overflow:hidden;width:1px;clip:rect(1px,1px,1px,1px);border:0;clip-path:inset(50%);margin:-1px;padding:0;position:absolute!important;word-wrap:normal!important} ... (truncated)

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.