UnratedPublic exploit

Branda WordPress Plugin Unauthenticated Privilege Escalation via Account Takeover

IdentifiersCVE-2026-11551CWE-639

CVE-2026-11551 affects the Branda plugin for WordPress in all versions up to and including 3.4.29. The vulnerability is caused by improper validation of a user's identity before allowing a password update. As a result, an unauthenticated attacker can change the password of an arbitrary user account, including administrator accounts, and then authenticate as that user. The issue is therefore an account takeover flaw that directly enables privilege escalation within the affected WordPress instance.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated attacker to reset passwords for arbitrary users, including site administrators. This leads to immediate account takeover and privilege escalation to the compromised user's level of access. If an administrator account is targeted, the attacker can obtain full administrative control of the WordPress site, including access to administrative functions and protected site data.

Mitigation

If you can’t patch tonight, do this now.

Until a fixed version is deployed, disable the Branda plugin or restrict access to the vulnerable password-update functionality if operationally feasible. Monitor for unexpected password reset or password change events, review administrator accounts for unauthorized access, and reset credentials for potentially affected users, especially privileged accounts.

Remediation

Patch, then assume compromise.

Update the Branda plugin for WordPress to a version newer than 3.4.29 once a vendor-provided fix is available. If a patched release has already been published, upgrade immediately to the fixed version and verify that no unauthorized password changes or administrator logins occurred prior to remediation.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).

VALID 1 / 2 TOTALView more in app

2026-11551MaturityPoCVerified exploit

Repository contains a single Python exploit script and a minimal README. The main file, cve_2026_11551.py, is an operational exploit for CVE-2026-11551 affecting the WordPress Branda White Label & Branding plugin <= 3.4.29. The script targets a logic flaw in Branda’s signup password handling where password_1 can overwrite the password of an existing user because the hook runs on all wp_insert_user/wp_update_user calls without properly excluding updates. The exploit supports two paths: single-site WordPress registration through /wp-login.php?action=register and multisite signup/activation through /wp-signup.php followed by /wp-activate.php. It performs reconnaissance to identify plugin presence/version, determine whether the site is multisite, check whether registration is open, and assess whether Branda password fields are present. It generates attacker-controlled passwords and unique email addresses, attempts takeover against supplied or default usernames, supports optional proxying and SSL verification disablement, and can run against a single target or mass-scan a list with threading. Successful takeovers are written to branda_results.txt along with metadata and cookies. Overall, this is a real exploit rather than a detector, and its purpose is unauthenticated privilege escalation via account takeover of existing WordPress users.

xxconiDisclosed Jun 19, 2026pythonmarkdownwebnetwork

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

WpmudevBrandaapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cvefeed high severityNews

Jun 19, 2026

CVE-2026-11551 - Branda - White Label & Branding, Free Login Page Customizer <= 3.4.29 - Unauthenticated Privilege Escalation via Account Takeover

An unauthenticated privilege escalation vulnerability in the Branda Plugin that can lead to account takeover.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-11551

NVD

nvd.nist.gov/vuln/detail/CVE-2026-11551

MITRE CWE · CWE-639

cwe.mitre.org