cleantalk
Vulnerabilities and Security Researches

Branda – White Label WordPress, Custom Login Page Customizer, CVE-2026-11551

CVE, Research URL

CVE-2026-11551

Home page URL

Security reports for Branda – White Label WordPress, Custom Login Page Customizer

Application

Branda – White Label WordPress, Custom Login Page Customizer

Published on
Jun 20, 2026
Research Description
The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Affected versions
max 3.4.31.
Status
vulnerable
Previous vulnerability researches
WpZon – Amazon Affiliate Plugin (CVE-2025-46506) , Apr 26, 2025
New vulnerability
WP Hotel Booking (CVE-2026-9822) , Jun 21, 2026
Branda – White Label WordPress, Custom Login Page Customizer (CVE-2026-11551) , Jun 21, 2026
Classified Listing – Classified ads & Business Directory Plugin (CVE-2026-10779) , Jun 21, 2026
WP EasyPay – Square for WordPress (CVE-2026-56024) , Jun 20, 2026
Database for Contact Form 7, WPforms, Elementor forms (CVE-2026-9843) , Jun 20, 2026