CVE-2026-11551

CRITICAL

Branda – White Label & Branding, Free Login Page Customizer <= 3.4.29 - Unauthenticated Privilege Escalation via Account Takeover

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-11551. PoCs published by ubaydev, xxconi, Polosss.

AI-analyzed exploit summary This repository contains a functional PoC demonstrating a privilege escalation vulnerability in White Label & Branding, Free Login Page Customizer <= 3.4.29. The exploit leverages a double-hashing issue in the Branda module's filter, leading to account takeover and admin lockout.

Description

The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Exploits (3)

github WORKING POC
by ubaydev · phppoc
https://github.com/ubaydev/CVE-2026-11551-PoC

This repository contains a functional PoC demonstrating a privilege escalation vulnerability in White Label & Branding, Free Login Page Customizer <= 3.4.29. The exploit leverages a double-hashing issue in the Branda module's filter, leading to account takeover and admin lockout.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: White Label & Branding, Free Login Page Customizer <= 3.4.29
Auth required
Prerequisites: Multisite WordPress installation · Branda Signup Password module active · Pending signup in wp_signups
devstral-2 · analyzed Jun 21, 2026 Full analysis →
nomisec WORKING POC
by xxconi · poc
https://github.com/xxconi/2026-11551

This repository contains a functional exploit for CVE-2026-11551, an unauthenticated privilege escalation vulnerability in the Branda White Label & Branding plugin (≤3.4.29). The exploit leverages a missing conditional check in the `pre_insert_user_data` hook, allowing password overwrites for existing users via registration or activation flows.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Branda White Label & Branding plugin for WordPress ≤3.4.29
No auth needed
Prerequisites: WordPress site with Branda plugin ≤3.4.29 · Registration enabled (single-site) or multisite setup
devstral-2 · analyzed Jun 20, 2026 Full analysis →
nomisec WRITEUP
by Polosss · poc
https://github.com/Polosss/By-Poloss..-..CVE-2026-11551-PoC

This repository provides a detailed technical analysis of CVE-2026-11551, an unauthenticated privilege escalation vulnerability in the Branda WordPress plugin. It includes root cause analysis, patch comparison, and proof-of-concept curl commands for exploitation.

Classification
Writeup 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Branda – White Label & Branding <= 3.4.29
No auth needed
Prerequisites: WordPress with Branda Plugin <= 3.4.29 installed and activated · User registration must be enabled · Target username must exist
devstral-2 · analyzed Jun 20, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-640
Status published
Products (1)
wpmudev/Branda – White Label & Branding, Free Login Page Customizer < 3.4.29
Published Jun 19, 2026
Tracked Since Jun 20, 2026