Vulnerabilities and security researches forbranda-white-labeling branda-white-labeling

Jun 07, 2024

CVE, Research URL: CVE-2023-51542
Home page URL: Security reports for Branda – White Label WordPress, Custom Login Page Customizer
Application: Branda – White Label WordPress, Custom Login Page Customizer
Date: Jun 04, 2024
Research Description: Authentication Bypass by Spoofing vulnerability in WPMU DEV Branda allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Branda: from n/a through 3.4.14.
Affected versions: max 3.4.15.
Status: vulnerable

CVE, Research URL: 94d463f85fe79f062f8660ab7b7ce4742d0ce867
Home page URL: Security reports for Branda – White Label WordPress, Custom Login Page Customizer
Application: Branda – White Label WordPress, Custom Login Page Customizer
Date: Mar 20, 2023
Research Description: Branda – White Label & Branding, Free Login Page Customizer [branda-white-labeling] < 3.4.9 WordPress Branda Plugin <= 3.4.8.1 is vulnerable to Cross Site Scripting (XSS) Update the WordPress Branda plugin to the latest available version (at least 3.4.9). Unknown discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Branda Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 3.4.9.
Affected versions: max 3.4.9.
Status: vulnerable

Jun 22, 2024

CVE, Research URL: CVE-2024-5191
Home page URL: Security reports for Branda – White Label WordPress, Custom Login Page Customizer
Application: Branda – White Label WordPress, Custom Login Page Customizer
Date: Jun 21, 2024
Research Description: The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mime_types’ parameter in all versions up to, and including, 3.4.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.4.18.
Status: vulnerable

Jul 02, 2024

CVE, Research URL: CVE-2024-37239
Home page URL: Security reports for Branda – White Label WordPress, Custom Login Page Customizer
Application: Branda – White Label WordPress, Custom Login Page Customizer
Date: Jul 22, 2024
Research Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPMU DEV Branda allows Stored XSS.This issue affects Branda: from n/a through 3.4.17.
Affected versions: max 3.4.18.
Status: vulnerable

Jul 22, 2024

CVE, Research URL: CVE-2024-6554
Home page URL: Security reports for Branda – White Label WordPress, Custom Login Page Customizer
Application: Branda – White Label WordPress, Custom Login Page Customizer
Date: Jul 11, 2024
Research Description: The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.4.18. This is due the plugin utilizing composer without preventing direct access to the files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
Affected versions: max 3.4.19.
Status: vulnerable

Nov 22, 2024

CVE, Research URL: CVE-2024-9371
Home page URL: Security reports for Branda – White Label WordPress, Custom Login Page Customizer
Application: Branda – White Label WordPress, Custom Login Page Customizer
Date: Nov 21, 2024
Research Description: The Branda – White Label & Branding, Custom Login Page Customizer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.4.19. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: max 3.4.22.
Status: vulnerable

Jan 11, 2026

CVE, Research URL: CVE-2025-14998
Home page URL: Security reports for Branda – White Label WordPress, Custom Login Page Customizer
Application: Branda – White Label WordPress, Custom Login Page Customizer
Date: Jan 02, 2026
Research Description: The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Affected versions: max 3.4.29.
Status: vulnerable