cleantalk
Vulnerabilities and Security Researches

Branda – White Label WordPress, Custom Login Page Customizer, CVE-2026-11551

CVE, Research URL

CVE-2026-11551

Home page URL

Security reports for Branda – White Label WordPress, Custom Login Page Customizer

Application

Branda – White Label WordPress, Custom Login Page Customizer

Published on
Jun 20, 2026
Research Description
The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Affected versions
max 3.4.31.
Status
vulnerable
Previous vulnerability researches
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-24573) , Jan 26, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2026-3297) , Jun 13, 2026
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2026-2470) , Jun 13, 2026
Page Builder: Pagelayer – Drag and Drop website builder (034ff0255a06b02d7a3099c8b62052121c06a6b8) , Jun 16, 2026
Page Builder: Pagelayer – Drag and Drop website builder (798fe899223d5728f117e7d01b13ea4115a359b9) , Jun 16, 2026
New vulnerability
Simple File List (CVE-2026-11911) , Jun 21, 2026
Simple File List (CVE-2026-12119) , Jun 21, 2026
Simple File List (CVE-2026-11912) , Jun 21, 2026
WP Hotel Booking (CVE-2026-9822) , Jun 21, 2026
Branda – White Label WordPress, Custom Login Page Customizer (CVE-2026-11551) , Jun 21, 2026