CVE-2025-14998: Branda Password Reset Account Takeover

Overview

• CVE: CVE-2025-14998
• Plugin: Branda – White Label & Branding
• Affected Versions: <= 3.4.24
• Patched Version: 3.4.25 (fix confirmed in 3.4.29)
• CVSS: 9.8 (Critical)
• Authentication: None required (unauthenticated)
• Type: Unauthenticated Privilege Escalation via Account Takeover (Password Reset Bypass)

Vendor notified December 20, 2025; publicly disclosed January 1, 2026. This vulnerability stems from the complete absence of identity validation in Branda's password reset API. An unauthenticated attacker can overwrite the password of any WordPress account, including site administrators.

What Happened

Branda (formerly Ultimate Branding) is a plugin that enables white-label customization of WordPress installations. It is widely used by agencies and resellers to rebrand the admin dashboard, customize the login page, and hide WordPress fingerprints from clients.

The plugin implemented its own password reset flow, but in versions 3.4.24 and earlier, the code responsible for updating a password failed to verify that the requester was actually the legitimate owner of the targeted account.

Key issues:

• The endpoint handling password reset requests did not properly validate user tokens or proof of ownership
• Specifying a target user ID or email address in the request was sufficient to overwrite the account's password
• The entire operation executed without authentication, meaning any external attacker without an active session could exploit it

How the Attack Works

The attack scenario is straightforward and easy to automate.

1. Identify the administrator account: WordPress exposes usernames by default through author archive URLs such as /?author=1. If the REST API is enabled, wp-json/wp/v2/users also returns user data.

2. Send the password reset request: The attacker sends a crafted request to Branda's password reset endpoint, including the target user's ID and a chosen new password. The standard reset flow — email delivery, link click, and token validation — is bypassed entirely.

3. Log in and take full control: The attacker logs in with the newly set password as the administrator. From this point, the attacker has complete control over the site:

   • Install plugins with embedded backdoors
   • Modify or delete other user accounts
   • Deface or exfiltrate site content
   • Access the database or server via PHP code execution

The attack can be scripted to scan and compromise multiple sites in bulk with minimal effort.

Real-World Impact

The CVSS score of 9.8 (Critical) reflects the severity of the risk accurately.

• No authentication is required, which removes virtually all barriers to exploitation
• Every user account — including administrators — is a valid target, meaning a site can be completely taken over
• A WordPress account takeover can cascade into damage affecting other applications and data running on the same server
• Depending on the hosting environment, lateral movement to other WordPress sites on the same server is possible
• Attack traces are minimal, potentially delaying detection long after a breach has occurred

For agencies running Branda across many client sites, a single compromised management environment could lead to a cascading compromise of every managed site.

Fix and Lessons

Fix: Version 3.4.25 introduced proper identity verification in the password reset flow. The fix has also been confirmed in 3.4.29. All sites using Branda should update to the latest version immediately.

Lessons:

1. Identity verification is mandatory: Password reset flows must use email token validation or a secure one-time token. Skipping this step converts the feature into an account takeover primitive.
2. Danger of custom authentication logic: Custom implementations that bypass WordPress's built-in password reset mechanism introduce a high risk of oversight. The core reset flow exists for a reason.
3. Apply nonce and capability checks everywhere: WordPress Nonces and capability checks should be applied to every state-changing operation, without exception.
4. The disclosure window matters: Between vendor notification (December 20, 2025) and public disclosure (January 1, 2026), roughly two weeks passed. Sites that had not patched during this window were exposed with no public warning.
5. Continuous plugin monitoring: Maintaining an inventory of installed plugins and their versions — with automated alerts when CVEs are published — is essential for timely response.

Detection with Nyambush

Nyambush detects WordPress plugin version information and raises an alert for any site running a plugin version known to carry CVE-2025-14998.

When Branda 3.4.24 or earlier is detected, Nyambush reports it as a Critical finding in the scan results. Configuring scheduled scans ensures you receive prompt notifications as soon as new vulnerabilities are disclosed. Unauthenticated privilege escalation is the highest-priority vulnerability category and should be remediated without delay.