Privilege Escalation Vulnerability in Branda Plugin for WordPress
CVE-2026-11551

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Branda – White Label & Branding, Free Login Page Customizer
Vendor: CVE Published:; 19 June 2026

What is CVE-2026-11551?

The Branda plugin for WordPress contains a security flaw that allows attackers to exploit privilege escalation through account takeover. In all versions up to 3.4.29, this vulnerability stems from insufficient validation of user identities during the password update process. As a result, unauthorized individuals can change the passwords of arbitrary users, including administrators, effectively gaining access to their accounts without authentication. Website owners are strongly advised to review and update their plugin to the latest version to safeguard against potential breaches.

Affected Version(s)

Branda – White Label & Branding, Free Login Page Customizer 0 <= 3.4.29

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/branda-white-l...

https://plugins.trac.wordpress.org/changeset/3568291/bran...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
Jun 8, 2026

Credit

Tran Van Nhan

Vo Van Minh

CVE-2026-11551 Data

JSON