How is CVE-2026-11551 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress site. Authentication (not-required): No account or credentials of any kind are needed; the attack can be executed by a completely anonymous remote attacker. Victim interaction (not-required): The attacker does not need any user to click a link or take any action; the password reset can be triggered entirely server-side. Attack complexity (info): Exploit reliability is high and no special conditions, race conditions, or environmental factors are required to succeed.

What is the impact of CVE-2026-11551?

Attacker resets the password of any WordPress user, including site administrators, and logs in with full account privileges. Attacker reads all stored site content, user records, session tokens, and any sensitive data accessible to the hijacked account. Attacker modifies or deletes posts, pages, plugin settings, and site configuration, including installing or activating arbitrary plugins. Attacker can fully compromise the WordPress host environment if the administrator account has sufficient server-level access.

Back to search

CRITICALCVE-2026-11551Published 2026-06-19Modified 2026-06-19CNA Wordfence

CVE-2026-11551: Branda – White Label & Branding, Free Login Page Customizer <= 3.4.29 - Unauthenticated Privilege Escalation via Account Takeover

Q: What is CVE-2026-11551?

This is an authentication bypass and privilege escalation vulnerability in the Branda (White Label and Branding) plugin for WordPress, affecting all versions up to and including 3.4.29. It is reachable over the network with no authentication required and no user interaction needed, meaning any remote attacker can trigger it directly against an exposed WordPress site. Successful exploitation allows an attacker to reset any user's password, including administrator accounts, take over those accounts, and gain full control of the WordPress installation. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as upstream ships a fix.

Q: Is CVE-2026-11551 patched?

Because no upstream fix has been published, HarborGuard re-checks the Wordfence advisory on every ingest cycle and will make a patched-image rebuild available the moment a fixed version is released. In the interim, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation for WordPress workloads or egress filtering to limit exposure of the affected plugin endpoint.

The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an authentication bypass and privilege escalation vulnerability in the Branda (White Label and Branding) plugin for WordPress, affecting all versions up to and including 3.4.29. It is reachable over the network with no authentication required and no user interaction needed, meaning any remote attacker can trigger it directly against an exposed WordPress site. Successful exploitation allows an attacker to reset any user's password, including administrator accounts, take over those accounts, and gain full control of the WordPress installation. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-11551 is available across every HarborGuard environment. Ingestion from upstream advisory feeds, including Wordfence, occurs within minutes of publication, and matching against customer images and pipeline builds, including custom WordPress images bundling the Branda plugin, is performed automatically.

Available

Triage

Triage is available with a CVSS v3.1 score of 9.8 (Critical), surfaced against each customer's compliance policy weighting to prioritize severity routing. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the Wordfence advisory on every ingest cycle and will make a patched-image rebuild available the moment a fixed version is released. In the interim, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation for WordPress workloads or egress filtering to limit exposure of the affected plugin endpoint.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress site.
AuthenticationNot required
No account or credentials of any kind are needed; the attack can be executed by a completely anonymous remote attacker.
Victim interactionNot required
The attacker does not need any user to click a link or take any action; the password reset can be triggered entirely server-side.
Attack complexityDetail
Exploit reliability is high and no special conditions, race conditions, or environmental factors are required to succeed.

Blast Radius

Attacker resets the password of any WordPress user, including site administrators, and logs in with full account privileges.
Attacker reads all stored site content, user records, session tokens, and any sensitive data accessible to the hijacked account.
Attacker modifies or deletes posts, pages, plugin settings, and site configuration, including installing or activating arbitrary plugins.
Attacker can fully compromise the WordPress host environment if the administrator account has sufficient server-level access.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-11551 at this time, the platform monitors the Wordfence advisory on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads the moment a fix is published. While awaiting a patch, customers are advised to consider compensating controls: network-policy isolation to restrict inbound HTTP access to WordPress login and password-reset endpoints, egress filtering on affected workloads, and temporarily deactivating or removing the Branda plugin where White Label branding features are not operationally required. These compensating-control suggestions are available to communicate to development and operations teams through HarborGuard's finding detail and comment workflow.

See how HarborGuard automates this

Affected packages

wpmudev / Branda – White Label & Branding, Free Login Page Customizer
≤ 3.4.29

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified