A critical privilege escalation flaw in the Branda plugin allows unauthenticated attackers to perform account takeovers, posing a severe risk of total site compromise.

The vulnerability stems from a failure to properly validate user identity before processing password updates. This logic error allows an unauthenticated attacker to arbitrarily modify the password of any user account on the system.

With a CVSS score of 9.8, this vulnerability represents a critical risk to business continuity and data integrity. By hijacking administrative accounts, attackers can gain full control over the WordPress instance, leading to the theft of sensitive data, site defacement, and the deployment of malware.

Immediate Action: Update the Branda plugin to the latest version immediately to ensure proper identity validation is enforced during password changes.

Proactive Monitoring: Audit user account modification logs for suspicious activity or unauthorized password reset requests occurring outside of standard administrative workflows.

Compensating Controls: Utilize a Web Application Firewall (WAF) to filter and block requests targeting the password management functions of the Branda plugin.

Public Exploit Available: Unknown

This vulnerability is highly dangerous as it bypasses all standard authentication protections. It is imperative that all organizations using the Branda plugin apply the latest security updates without delay to prevent unauthorized account takeovers and maintain the integrity of their administrative infrastructure.