Skip to main content

Divi Form Builder

2 CVEs product

Monthly

CVE-2026-5523 HIGH This Week

Privilege escalation to full account takeover in the Divi Form Builder WordPress plugin (versions up to and including 5.1.8) lets any authenticated user with subscriber-level access or higher change the email address and password of arbitrary accounts, including administrators. The flaw is an insecure direct object reference where a user ID supplied in a form submission is trusted without an authorization check. Reported by Wordfence and rated CVSS 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress Divi Form Builder
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-5524 CRITICAL Act Now

Arbitrary file upload leading to remote code execution in the Divi Form Builder WordPress plugin (versions through 5.1.8) lets unauthenticated attackers upload executable PHP files and run arbitrary code on the server. Attacker-controlled input from the acceptFileTypes POST parameter is interpolated directly into the file-validation regex in do_image_upload(), allowing alternate PHP extensions (.phtml, .phar, .php5, .php7) that evade the plugin's .php-only .htaccess block - and on Nginx the .htaccess protection does not apply at all. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the CVSS 9.8 rating and Wordfence's technical disclosure make this a high-priority patching target.

WordPress Nginx PHP RCE File Upload +1
NVD
CVSS 3.1
9.8
EPSS
0.5%
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation to full account takeover in the Divi Form Builder WordPress plugin (versions up to and including 5.1.8) lets any authenticated user with subscriber-level access or higher change the email address and password of arbitrary accounts, including administrators. The flaw is an insecure direct object reference where a user ID supplied in a form submission is trusted without an authorization check. Reported by Wordfence and rated CVSS 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress Divi Form Builder
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Arbitrary file upload leading to remote code execution in the Divi Form Builder WordPress plugin (versions through 5.1.8) lets unauthenticated attackers upload executable PHP files and run arbitrary code on the server. Attacker-controlled input from the acceptFileTypes POST parameter is interpolated directly into the file-validation regex in do_image_upload(), allowing alternate PHP extensions (.phtml, .phar, .php5, .php7) that evade the plugin's .php-only .htaccess block - and on Nginx the .htaccess protection does not apply at all. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the CVSS 9.8 rating and Wordfence's technical disclosure make this a high-priority patching target.

WordPress Nginx PHP +3
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy