CVE-2026-11551
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk45th percentile — higher than 45% of all known CVEs
Summary
The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to and including 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password.
Risk Assessment
Unauthenticated attackers can change arbitrary user's passwords, including administrators, leading to unauthorized access to their accounts.
Recommendation
It is recommended to update the Branda plugin to the latest version to mitigate this vulnerability.
Original NVD description (English source)
The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

