CVE-2026-11551

Critical

The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29.…

Wordfence·CWE-640·Published 2026-06-19

CVSS

9.8

EPSS

—

KEV

Exploits

cve.orgen

406 chars

The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

CVSS metrics across sources

Version	Type

3.1	Primary	cve.org	9.8	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.1	Secondary	ENISA EUVD	9.8	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H