CVE-2026-11551
CRITICAL · 9.8Public PoC, urgent patching, defender triage guidance; KEV absence and same-day disclosure lower confidence slightly.
What: Branda WordPress plugin (≤3.4.29) allows unauthenticated attackers to reset arbitrary user passwords and take over accounts, including admin. CVSS 9.8 CRITICAL.
Why it matters: Public exploit confirmed in chatter; patch (3.4.31) available same-day; WordPress sites are high-value targets. Privilege escalation to admin access enables full site compromise. Not yet KEV-listed, but urgency and active patching signal real threat.
Where it's seen: Security feed automation (CVEnew, OrizonCyber, Patchstack); defensive guidance ("update to 3.4.31 now"); one post conflates with Oracle PeopleSoft (misattribution noise). No mass scanning reports yet.
RISK: CRITICAL — Unauthenticated account takeover of WordPress admin accounts; patch available but millions of sites may lag.
Description
The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H- Attack vector
- Network
- Complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Weaknesses
References
- https://plugins.trac.wordpress.org/browser/branda-white-labeling/tags/3.4.29/inc/modules/login-screen/signup-password.php#L232
- https://plugins.trac.wordpress.org/changeset/3568291/branda-white-labeling/trunk/inc/modules/login-screen/signup-password.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/56f13af3-71b6-42d4-9fda-a75778f32091?source=cve