What Is CVE-2026-11551?

CVE-2026-11551 is a critical authentication bypass and privilege escalation vulnerability in the Branda WordPress plugin, carrying a CVSS score of 9.8. The flaw allows unauthenticated attackers to completely take over any user account—including administrator accounts—without requiring any prior access or credentials. Exploitation leads to full site compromise.

Affected Versions

All versions of the Branda plugin are affected. No version is known to be immune at this time.

Exploited in the Wild?

Given the critical severity (CVSS 9.8) and the unauthenticated nature of the attack, this vulnerability is highly attractive to threat actors. Site administrators should operate under the assumption that active exploitation is occurring or imminent, and take immediate defensive measures.

How to Fix

As of this writing, no official patch has been released by the plugin maintainers. The only fully effective mitigation is to disable and remove the Branda plugin from all WordPress installations until a patched version becomes available. Monitor the plugin’s repository and official channels for update announcements.

Recommendations

• Disable Branda immediately on all WordPress sites.
• Audit user accounts for any newly created or modified administrator-level users.
• Review access logs for suspicious activity targeting wp-admin or REST API endpoints associated with Branda.
• Enable a Web Application Firewall (WAF) rule to block exploitation attempts if plugin removal is not immediately possible.
• Subscribe to vendor notifications for patch availability and apply the fix as soon as released.

References

• NVD: CVE-2026-11551
• CVE.org Record