CVE-2026-5524

Divi Engine · Divi Form Builder

The Divi Form Builder plugin for WordPress contains an arbitrary file upload vulnerability allowing unauthenticated remote code execution via insufficient file extension validation.

Executive summary

The Divi Form Builder plugin for WordPress is vulnerable to unauthenticated remote code execution, posing a critical risk of total site compromise.

Vulnerability

This vulnerability stems from inadequate validation in the do_image_upload() function, where attackers can bypass existing filters to upload executable PHP files. This flaw allows unauthenticated attackers to execute arbitrary code on the underlying web server.

Business impact

Successful exploitation of this vulnerability grants an attacker full control over the WordPress installation and potentially the underlying web server. Given the CVSS score of 9.8, this represents a critical risk of data exfiltration, site defacement, and the deployment of persistent backdoors, leading to severe reputational and operational damage.

Remediation

Immediate Action: Update the Divi Form Builder plugin to the latest available version immediately to implement robust file extension filtering.

Proactive Monitoring: Review access logs for requests to the /wp-content/uploads/de_fb_uploads/ directory, specifically looking for files with .php, .phtml, or .phar extensions.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block unauthorized file uploads and restrict direct execution of scripts within the uploads directory.

Exploitation status

Public Exploit Available: False

Analyst recommendation

This vulnerability is highly severe because it allows unauthenticated attackers to gain code execution with minimal effort. Organizations must prioritize updating the plugin to the latest version to close the upload bypass vector. If an immediate update is not feasible, restrict direct access to the uploads directory via server configuration until patching is complete.