VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 7 known issues Latest disclosed Jan 01, 2026

Branda – White Label & Branding, Free Login Page Customizer Vulnerabilities

Review known vulnerability records for the WordPress plugin Branda – White Label & Branding, Free Login Page Customizer (`branda-white-labeling`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-14998, CVE-2024-9371 and CVE-2024-6554, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
7
High or Critical
1
Patch Coverage
100%
Last Updated
Jan 02, 2026
Priority CVE Quick Links

Fast paths into Branda – White Label & Branding, Free Login Page Customizer CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
6
CVE-2025-14998 Critical 3.4.29
CVE-2025-14998 Branda – White Label & Branding, Free Login Page Customizer Authorization Bypass

Branda – White Label & Branding, Free Login Page Customizer <= 3.4.24 - Unauthenticated Privilege Escalation via Account Takeover

CVE-2024-5191 Medium 3.4.18
CVE-2024-5191 Branda – White Label & Branding, Free Login Page Customizer Stored Cross-Site Scripting

Branda – White Label WordPress, Custom Login Page Customizer <= 3.4.17 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload

CVE-2024-9371 Medium 3.4.22
CVE-2024-9371 Branda – White Label & Branding, Free Login Page Customizer Cross-Site Scripting

Branda – White Label & Branding, Custom Login Page Customizer <= 3.4.19 - Reflected Cross-Site Scripting

CVE-2024-6554 Medium 3.4.19
CVE-2024-6554 Branda – White Label & Branding, Free Login Page Customizer Vulnerability

Branda – White Label WordPress, Custom Login Page Customizer <= 3.4.18 - Unauthenticated Full Path Disclosure

CVE-2023-51542 Medium 3.4.15
CVE-2023-51542 Branda – White Label & Branding, Free Login Page Customizer Vulnerability

Branda <= 3.4.14 - IP Address Spoofing

CVE-2024-37239 Medium 3.4.18
CVE-2024-37239 Branda – White Label & Branding, Free Login Page Customizer Stored Cross-Site Scripting

Branda <= 3.4.17 - Authenticated (Administrator+) Stored Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Branda – White Label & Branding, Free Login Page Customizer so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
7 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
1 critical and 0 high severity findings.
Recent CVEs
CVE-2025-14998, CVE-2024-9371 and CVE-2024-6554
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Branda – White Label & Branding, Free Login Page Customizer

Sorted by latest disclosure date so newly published issues surface first.

Plugin Critical Patched: Yes CVE-2025-14998
CVE-2025-14998: Branda – White Label & Branding, Free Login Page Customizer <= 3.4.24 - Unauthenticated Privilege Escalation via Account Takeover

The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticate...

Published
Jan 01, 2026
Patched Release
3.4.29
Affected Versions
Versions up to 3.4.24
Next Step
Update to 3.4.29 or newer if supported.
Open CVE-2025-14998 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-9371
CVE-2024-9371: Branda – White Label & Branding, Custom Login Page Customizer <= 3.4.19 - Reflected Cross-Site Scripting

The Branda – White Label & Branding, Custom Login Page Customizer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.4.19. This makes it possible f...

Published
Nov 20, 2024
Patched Release
3.4.22
Affected Versions
Versions up to 3.4.21
Next Step
Update to 3.4.22 or newer if supported.
Open CVE-2024-9371 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-6554
CVE-2024-6554: Branda – White Label WordPress, Custom Login Page Customizer <= 3.4.18 - Unauthenticated Full Path Disclosure

The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.4.18. This is due the plugin utilizing composer without preventing direct access to the files. This makes it possibl...

Published
Jul 10, 2024
Patched Release
3.4.19
Affected Versions
Versions up to 3.4.18
Next Step
Update to 3.4.19 or newer if supported.
Open CVE-2024-6554 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-37239
CVE-2024-37239: Branda <= 3.4.17 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Branda plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.4.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inje...

Published
Jun 28, 2024
Patched Release
3.4.18
Affected Versions
Versions up to 3.4.17
Next Step
Update to 3.4.18 or newer if supported.
Open CVE-2024-37239 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-5191
CVE-2024-5191: Branda – White Label WordPress, Custom Login Page Customizer <= 3.4.17 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload

The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mime_types’ parameter in all versions up to, and including, 3.4.17 due to insufficient input sanitization and output escaping. This makes it...

Published
Jun 20, 2024
Patched Release
3.4.18
Affected Versions
Versions up to 3.4.17
Next Step
Update to 3.4.18 or newer if supported.
Open CVE-2024-5191 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-51542
CVE-2023-51542: Branda <= 3.4.14 - IP Address Spoofing

The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 3.4.14 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retri...

Published
Dec 27, 2023
Patched Release
3.4.15
Affected Versions
Versions up to 3.4.14
Next Step
Update to 3.4.15 or newer if supported.
Open CVE-2023-51542 Report Open CVE Reference
Plugin Medium Patched: Yes
Branda – White Label WordPress <= 3.4.8.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Branda plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.4.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permi...

Published
Mar 16, 2023
Patched Release
3.4.9
Affected Versions
Versions up to 3.4.8.1
Next Step
Update to 3.4.9 or newer if supported.
Open Full Report