CVE-2026-5523

Divi Engine · Divi Form Builder

The Divi Form Builder plugin for WordPress is vulnerable to an authorization bypass, allowing authenticated users to perform unauthorized actions via improper capability checks.

Executive summary

A high-severity authorization bypass vulnerability in the Divi Form Builder plugin for WordPress allows authenticated attackers to potentially modify forms or manipulate data.

Vulnerability

The plugin suffers from an authorization bypass (CWE-639) due to insufficient capability checks. This allows a logged-in user with lower privileges to access administrative functions within the plugin that should be restricted.

Business impact

Successful exploitation could lead to unauthorized data access, modification of form structures, or potential site-wide configuration changes. With a CVSS score of 8.8, this vulnerability poses a significant risk to the integrity and confidentiality of the WordPress environment, potentially resulting in data loss or unauthorized administrative actions.

Remediation

Immediate Action: Update the Divi Form Builder plugin to the latest available version provided by the vendor.

Proactive Monitoring: Review WordPress user activity logs for unusual administrative actions performed by non-admin accounts.

Compensating Controls: Implement a Web Application Firewall (WAF) to detect and block suspicious requests targeting plugin administrative endpoints.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The vulnerability represents a significant risk to site integrity. IT administrators must prioritize updating the Divi Form Builder plugin immediately to mitigate the risk of unauthorized access and potential administrative compromise.