ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-5118 — Unauthenticated Privilege Escalation in Divi Form Builder for WordPress

A short review of CVE-2026-5118, a critical privilege escalation vulnerability in the Divi Form Builder WordPress plugin that allows unauthenticated attackers to create administrator accounts by tampering with a POST parameter during registration.

CVE Analysis

5 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-21

Brief Summary: CVE-2026-5118 — Unauthenticated Privilege Escalation in Divi Form Builder for WordPress
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A missing server side validation check in the Divi Form Builder plugin for WordPress lets any unauthenticated visitor register themselves as a full administrator, no credentials or prior access required. With a CVSS score of 9.8 and trivial exploitation mechanics, this is the kind of flaw that automated scanners and botnets will pick up quickly.

Divi Form Builder is developed by Divi Engine, a well known creator of plugins for the Divi ecosystem. The plugin adds a Form module to the Divi 5 Visual Builder, allowing site owners to build registration forms, contact forms, and other data collection workflows directly within the Divi page builder. Divi Engine serves a broad community of WordPress users who rely on the Divi theme framework, making the blast radius of this vulnerability significant across the WordPress landscape.

Technical Information

Root Cause: Missing Role Parameter Validation

The vulnerability, classified under CWE 269 (Improper Privilege Management), exists in the user registration handling logic of Divi Form Builder versions up to and including 5.1.2. When a registration form is submitted, the plugin reads a role parameter directly from the incoming POST data. The intended behavior is for the plugin to assign the role configured in the form's default_user_role setting. However, the plugin never validates the submitted role value against that configured default. It simply accepts whatever value the client provides.

This is a textbook case of trusting client side input for a security critical decision. The form may render with a hidden or preset role field on the front end, but nothing on the server enforces that the value received matches the value the administrator configured.

Attack Flow

The exploitation path is straightforward:

  1. An attacker identifies a WordPress site running Divi Form Builder with a user registration form enabled.
  2. The attacker fills out the registration form normally, or crafts a direct POST request to the form's submission endpoint.
  3. Before submitting, the attacker intercepts the request using a standard web proxy (such as Burp Suite or browser developer tools) and modifies the role parameter in the POST body to administrator.
  4. The server processes the registration request, reads the attacker supplied role value, and creates a new WordPress user account with the administrator role.
  5. The attacker now has full administrative access to the WordPress installation, including the ability to install plugins, modify themes, access the database, and compromise other user accounts.

No authentication is required at any step. No user interaction from the site owner or any other user is needed. The attack complexity is low, requiring only basic familiarity with HTTP request manipulation.

Severity Breakdown

The CVSS 3.1 metrics paint a clear picture of the risk:

MetricValueImplication
Base Score9.8 (Critical)Requires immediate remediation
Attack VectorNetwork (AV:N)Exploitable remotely over the internet
Attack ComplexityLow (AC:L)Trivial to exploit with standard web interception tools
Privileges RequiredNone (PR:N)Attackers do not need prior access or accounts
User InteractionNone (UI:N)Can be exploited automatically without victim action
Impact (C/I/A)High across all threeComplete compromise of Confidentiality, Integrity, and Availability

The combination of network accessibility, zero required privileges, and no user interaction means this vulnerability is well suited for automated, large scale exploitation.

Affected Systems and Versions

SoftwareAffected VersionsPatched Version
Divi Form Builder (WordPress plugin)All versions up to and including 5.1.25.1.3

Any WordPress site running Divi Form Builder version 5.1.2 or earlier that has a user registration form enabled is vulnerable. Sites that do not use the registration form functionality of the plugin may have reduced exposure, but updating remains the recommended course of action.

Mitigation

The vendor resolved the issue in version 5.1.3 by ensuring that registration forms always assign the exact role chosen in the form settings, preventing new accounts from receiving a higher role than configured. Site administrators should:

  1. Update immediately to Divi Form Builder version 5.1.3 or newer.
  2. Audit existing user accounts for any unexpected administrator or elevated privilege accounts that may have been created before the patch was applied.
  3. Verify registration form behavior after updating to confirm that role assignment enforcement functions correctly.

Threat Intelligence

The vulnerability was publicly disclosed by Wordfence on May 20, 2026, and the NVD record was published on May 21, 2026. As of this writing, available threat intelligence sources do not indicate active exploitation in the wild. However, given the unauthenticated nature of the attack, the low complexity, and the public availability of technical details describing the role parameter manipulation, automated exploitation is a realistic near term concern. The security researcher 0xd4rk5id3 from EnvoraSec was credited with discovering and reporting the vulnerability through coordinated disclosure.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization