ZeroPath at Black Hat USA 2026

Quick Look: CVE-2026-1829 Remote Code Execution in Content Visibility for Divi Builder WordPress Plugin

A brief summary of CVE-2026-1829, an authenticated remote code execution vulnerability in the Content Visibility for Divi Builder WordPress plugin that allows Contributor-level users to execute arbitrary PHP code via a shortcode parameter.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-02

Quick Look: CVE-2026-1829 Remote Code Execution in Content Visibility for Divi Builder WordPress Plugin
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A WordPress plugin designed to show or hide Divi Builder content based on PHP expressions was doing exactly what you might fear: evaluating user-supplied PHP code without adequate restrictions. The result is CVE-2026-1829, an authenticated Remote Code Execution vulnerability that lets any user with Contributor-level access run arbitrary code on the server.

Content Visibility for Divi Builder is a WordPress plugin that extends the popular Divi theme and page builder (by Elegant Themes) by allowing site administrators to conditionally display or hide sections and modules based on the outcome of PHP boolean expressions. The plugin has approximately 2,000+ active installations and has been available since February 2016. It occupies a niche but meaningful role in the Divi ecosystem, which itself powers a significant portion of WordPress sites using premium page builders.

Technical Information

Root Cause: PHP Expression Evaluation in Shortcode Parameters

The architectural root cause of CVE-2026-1829 is the plugin's design decision to evaluate PHP expressions supplied by users to determine content visibility. The plugin allows "Sections and Modules to be displayed/hidden based on the outcome of a PHP boolean expression," and this expression is passed through the cvdb_content_visibility_check parameter of the et_pb_text shortcode.

The vulnerable code resides in includes/plugin.class.php at line 229 of the version 4.01 codebase. When the shortcode is rendered, the value of cvdb_content_visibility_check is processed without adequate sanitization or capability validation, allowing the injection and execution of arbitrary PHP code.

The vulnerability is classified as CWE-94 (Improper Control of Generation of Code), which is the standard classification for code injection flaws where an application constructs code using externally influenced input without proper neutralization.

CVSS Breakdown

The CVSS v3.1 base score is 8.8 with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H:

CVSS MetricValueInterpretation
Attack Vector (AV)NetworkExploitable remotely over the internet
Attack Complexity (AC)LowNo special conditions required
Privileges Required (PR)LowContributor level access sufficient
User Interaction (UI)NoneNo victim action needed
Scope (S)UnchangedImpact limited to vulnerable component
Confidentiality (C)HighFull data compromise possible
Integrity (I)HighComplete data modification possible
Availability (A)HighDenial of service possible

Attack Flow

The exploitation chain for CVE-2026-1829 follows a straightforward path:

  1. Authentication: The attacker obtains Contributor-level (or higher) access to the target WordPress site. Contributor is the lowest authoring role in WordPress, commonly granted to guest authors, freelance writers, and content team members.

  2. Shortcode Injection: The attacker crafts a post containing the et_pb_text shortcode with a malicious value in the cvdb_content_visibility_check parameter. Because Contributors can create and submit draft posts, they have access to the shortcode system.

  3. Code Execution: When the shortcode is rendered (either during preview or when the post is published), the malicious parameter value is evaluated as PHP code on the server. This grants the attacker arbitrary code execution in the context of the web server process.

  4. Post-Exploitation: With server-side code execution established, the attacker can read sensitive files (including wp-config.php with database credentials), escalate privileges to Administrator, install persistent backdoors, or pivot to other systems accessible from the web server.

The combination of low privilege requirements and low attack complexity means that once a potential attacker understands the vulnerable parameter, exploitation is trivial. Multi-author WordPress sites, sites with open registration, or sites where Contributor accounts have been compromised through credential stuffing are all viable targets.

Affected Systems and Versions

The vulnerability affects the Content Visibility for Divi Builder WordPress plugin in all versions up to and including 4.02.

The plugin requires:

  • WordPress 5.5 or higher
  • PHP 7.0 or higher
  • Divi theme or Divi Builder plugin version 3 or higher (from Elegant Themes)

The fix was introduced in version 5.00, committed in changeset 3543621 on May 22, 2026. The current latest version as of disclosure is 5.02.

Sites running any version from the plugin's initial release through version 4.02 should be considered vulnerable.

Vendor Security History

The Content Visibility for Divi Builder plugin's core design of evaluating PHP boolean expressions for content visibility created an inherent security risk that ultimately manifested as this RCE vulnerability. The fix in version 5.00 was not a simple patch but a significant architectural refactor, as evidenced by the version jump from 4.02 directly to 5.00 (skipping the rest of the 4.x line entirely). The changeset message "Add security scanner and REST API" indicates the developer restructured how expressions are validated, adding expression validation described as preventing "dangerous PHP code from being executed." The developer also potentially moved visibility checking to a server-side REST API endpoint rather than evaluating raw PHP in shortcode handlers.

The developer responded to the coordinated disclosure process in a timely manner, committing the fix approximately 11 days before public disclosure on June 2, 2026.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization