Lucene search
K

CVE-2025-14998

🗓️ 02 Jan 2026 01:48:20Reported by WordfenceType 
cve
 cve
🔗 web.nvd.nist.gov👁 43 Views🌐 WEB

Unauthenticated privilege escalation in Branda WordPress up to 3.4.24 allows account takeover by password updates.

Related
Detection
Affected
Refs
Paths
Vulners
[
  {
    "vendor": "wpmudev",
    "product": "Branda – White Label & Branding, Free Login Page Customizer",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "3.4.24",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]
ParameterPositionPathDescriptionCWE
password_1request body/wp/wp-login.php?action=lostpasswordUnauthenticated password reset flow can be abused to set attacker-controlled password during lost password process.CWE-639
user_loginrequest body/wp/wp-login.php?action=lostpasswordUnauthenticated password reset flow can be abused to set attacker-controlled password during lost password process.CWE-639
actionrequest body/wp/wp-login.php?action=lostpasswordUnauthenticated password reset flow can be abused to set attacker-controlled password during lost password process.CWE-639
wp-submitrequest body/wp/wp-login.php?action=lostpasswordUnauthenticated password reset flow can be abused to set attacker-controlled password during lost password process.CWE-639
redirect_torequest body/wp/wp-login.php?action=lostpasswordUnauthenticated password reset flow can be abused to set attacker-controlled password during lost password process.CWE-639
loginquery param/wp/wp-login.php?login=admin&key=EfUSmvnTun5XbvE6RvIB&action=rpPassword reset completion endpoint can be exploited using a captured key to change a user password without authentication.CWE-639
keyquery param/wp/wp-login.php?login=admin&key=EfUSmvnTun5XbvE6RvIB&action=rpPassword reset completion endpoint can be exploited using a captured key to change a user password without authentication.CWE-639
actionquery param/wp/wp-login.php?login=admin&key=EfUSmvnTun5XbvE6RvIB&action=rpPassword reset completion endpoint can be exploited using a captured key to change a user password without authentication.CWE-639

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation