Critical RCE Vulnerability in Divi Form Builder Plugin for WordPress

Critical RCE Vulnerability in Divi Form Builder Plugin for WordPress

First seen 3 Jul 2026, 02:24 UTC Feedlywww.incibe.esvulnerability.circl.ludb.gcve.euvuldb.com 91% similarity 78.0
Share:

Article Content

Browse articles
ThreatCluster

The Divi Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload, allowing Remote Code Execution in all versions up to 5.1.8. This vulnerability arises from insufficient file extension validation in the do_image_upload() function, enabling attackers to upload executable PHP files by bypassing .htaccess protections. Attackers can exploit this flaw without authentication if they obtain a nonce from public pages. The vulnerability has a CVSS score of 9.8, indicating critical severity. Despite a partial patch in version 5.1.3, the issue remains unaddressed in subsequent versions. Organizations, especially those using Nginx servers, are advised to update to versions beyond 5.1.8 and implement additional server-level protections. Currently, there is no evidence of proof-of-concept exploits or active exploitation in the wild.

Key Points: • Divi Form Builder plugin versions up to 5.1.8 are vulnerable to RCE via file uploads. • Attackers can bypass protections by using PHP-executable extensions like .phtml and .phar. • A CVSS score of 9.8 indicates critical severity; immediate updates are recommended.

ThreatCluster AI

Timeline

2026-07-02
CVE-2026-5524 published
The vulnerability in the Divi Form Builder plugin was officially published, affecting all versions up to 5.1.8.
Feedly
2026-07-03
INCIBE-CERT issues alert
INCIBE-CERT confirmed the vulnerability details and severity, urging users to update their plugins.
www.incibe.es

Community

Browse all →