CVE Catalog

CVE-2026-11551

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.63%

45th percentile — higher than 45% of all known CVEs

Summary

The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to and including 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password.

Risk Assessment

Unauthenticated attackers can change arbitrary user's passwords, including administrators, leading to unauthorized access to their accounts.

Recommendation

It is recommended to update the Branda plugin to the latest version to mitigate this vulnerability.

Original NVD description (English source)

The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS