Branda WordPress Plugin Unauthenticated Account Takeover Privilege Escalation

This repository is a small standalone PHP proof-of-concept plus a README for CVE-2026-11551 affecting the Branda/White Label & Branding WordPress plugin on multisite deployments. The code is not a remote exploit script by itself; instead, it is intended to run within a WordPress environment and demonstrates vulnerable application logic involving wp_update_user(), wp_insert_user(), and Branda's wp_pre_insert_user_data filter. Repository structure is minimal: one executable PHP PoC file and one documentation file. The PHP file defines and immediately invokes poc_privilege_escalation(). That function inserts a crafted pending signup row into the WordPress signups table with serialized metadata containing a known password, then simulates an admin editing an existing user by changing user_login to match the pending signup. According to the README and PoC logic, Branda's signup-password filter reads the pending signup metadata during user update and hashes the supplied password again, even though WordPress core has already hashed the password earlier in the update flow. The PoC then attempts authentication and expects failure, using that failure to confirm the double-hash condition. Main exploit capability: forced password corruption/account lockout of an existing user, including an administrator, by causing the plugin to overwrite the account password with a double-hashed value when the username matches a pending signup. The README frames this as privilege escalation/account takeover, but the actual PoC most clearly demonstrates denial of access and unsafe password reassignment behavior. It does not include a customizable shell payload, command execution, or network callback. Fingerprintable targets and artifacts are primarily WordPress-specific: the wp_signups and wp_users tables, the /wp-admin/user-edit.php administrative path described in the attack flow, and external reference URLs to the vulnerable plugin source and Wordfence advisory. Overall maturity is best classified as POC: it demonstrates the vulnerable condition and impact but is not weaponized or automated for broad exploitation.

Repository contains a single Python exploit script and a minimal README. The main file, cve_2026_11551.py, is an operational exploit for CVE-2026-11551 affecting the WordPress Branda White Label & Branding plugin <= 3.4.29. The script targets a logic flaw in Branda’s signup password handling where password_1 can overwrite the password of an existing user because the hook runs on all wp_insert_user/wp_update_user calls without properly excluding updates. The exploit supports two paths: single-site WordPress registration through /wp-login.php?action=register and multisite signup/activation through /wp-signup.php followed by /wp-activate.php. It performs reconnaissance to identify plugin presence/version, determine whether the site is multisite, check whether registration is open, and assess whether Branda password fields are present. It generates attacker-controlled passwords and unique email addresses, attempts takeover against supplied or default usernames, supports optional proxying and SSL verification disablement, and can run against a single target or mass-scan a list with threading. Successful takeovers are written to branda_results.txt along with metadata and cookies. Overall, this is a real exploit rather than a detector, and its purpose is unauthenticated privilege escalation via account takeover of existing WordPress users.