Introduction
A missing server side validation check in the Divi Form Builder plugin for WordPress lets any unauthenticated visitor register themselves as a full administrator, no credentials or prior access required. With a CVSS score of 9.8 and trivial exploitation mechanics, this is the kind of flaw that automated scanners and botnets will pick up quickly.
Divi Form Builder is developed by Divi Engine, a well known creator of plugins for the Divi ecosystem. The plugin adds a Form module to the Divi 5 Visual Builder, allowing site owners to build registration forms, contact forms, and other data collection workflows directly within the Divi page builder. Divi Engine serves a broad community of WordPress users who rely on the Divi theme framework, making the blast radius of this vulnerability significant across the WordPress landscape.
Technical Information
Root Cause: Missing Role Parameter Validation
The vulnerability, classified under CWE 269 (Improper Privilege Management), exists in the user registration handling logic of Divi Form Builder versions up to and including 5.1.2. When a registration form is submitted, the plugin reads a role parameter directly from the incoming POST data. The intended behavior is for the plugin to assign the role configured in the form's default_user_role setting. However, the plugin never validates the submitted role value against that configured default. It simply accepts whatever value the client provides.
This is a textbook case of trusting client side input for a security critical decision. The form may render with a hidden or preset role field on the front end, but nothing on the server enforces that the value received matches the value the administrator configured.
Attack Flow
The exploitation path is straightforward:
- An attacker identifies a WordPress site running Divi Form Builder with a user registration form enabled.
- The attacker fills out the registration form normally, or crafts a direct POST request to the form's submission endpoint.
- Before submitting, the attacker intercepts the request using a standard web proxy (such as Burp Suite or browser developer tools) and modifies the
roleparameter in the POST body toadministrator. - The server processes the registration request, reads the attacker supplied
rolevalue, and creates a new WordPress user account with theadministratorrole. - The attacker now has full administrative access to the WordPress installation, including the ability to install plugins, modify themes, access the database, and compromise other user accounts.
No authentication is required at any step. No user interaction from the site owner or any other user is needed. The attack complexity is low, requiring only basic familiarity with HTTP request manipulation.
Severity Breakdown
The CVSS 3.1 metrics paint a clear picture of the risk:
| Metric | Value | Implication |
|---|---|---|
| Base Score | 9.8 (Critical) | Requires immediate remediation |
| Attack Vector | Network (AV:N) | Exploitable remotely over the internet |
| Attack Complexity | Low (AC:L) | Trivial to exploit with standard web interception tools |
| Privileges Required | None (PR:N) | Attackers do not need prior access or accounts |
| User Interaction | None (UI:N) | Can be exploited automatically without victim action |
| Impact (C/I/A) | High across all three | Complete compromise of Confidentiality, Integrity, and Availability |
The combination of network accessibility, zero required privileges, and no user interaction means this vulnerability is well suited for automated, large scale exploitation.
Affected Systems and Versions
| Software | Affected Versions | Patched Version |
|---|---|---|
| Divi Form Builder (WordPress plugin) | All versions up to and including 5.1.2 | 5.1.3 |
Any WordPress site running Divi Form Builder version 5.1.2 or earlier that has a user registration form enabled is vulnerable. Sites that do not use the registration form functionality of the plugin may have reduced exposure, but updating remains the recommended course of action.
Mitigation
The vendor resolved the issue in version 5.1.3 by ensuring that registration forms always assign the exact role chosen in the form settings, preventing new accounts from receiving a higher role than configured. Site administrators should:
- Update immediately to Divi Form Builder version 5.1.3 or newer.
- Audit existing user accounts for any unexpected administrator or elevated privilege accounts that may have been created before the patch was applied.
- Verify registration form behavior after updating to confirm that role assignment enforcement functions correctly.
Threat Intelligence
The vulnerability was publicly disclosed by Wordfence on May 20, 2026, and the NVD record was published on May 21, 2026. As of this writing, available threat intelligence sources do not indicate active exploitation in the wild. However, given the unauthenticated nature of the attack, the low complexity, and the public availability of technical details describing the role parameter manipulation, automated exploitation is a realistic near term concern. The security researcher 0xd4rk5id3 from EnvoraSec was credited with discovering and reporting the vulnerability through coordinated disclosure.



