Unauthorized Access and PHP Object Injection in Divi-Booster Plugin
CVE-2026-2626

8.1HIGH

Key Information:

Vendor: WordPress
Status: Divi-booster
Vendor: CVE Published:; 11 March 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-2626?

The Divi-Booster plugin for WordPress, prior to version 5.0.2, contains a flaw that allows unauthorized users to modify the plugin's settings due to a lack of authorization and CSRF checks. The vulnerability stems from using unserialize() on untrusted data, posing a risk of PHP Object Injection when combined with a crafted PHP gadget chain. This can lead to further exploitation and manipulation of the affected WordPress site.

Affected Version(s)

divi-booster 0 < 5.0.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-2626 - Proof of Concept

References

https://wpscan.com/vulnerability/c8f5e821-1788-419f-a00c-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Mar 11, 2026
👾
Exploit known to exist
Mar 11, 2026
Vulnerability published
Mar 11, 2026
Vulnerability Reserved
Feb 17, 2026

Credit

Saif (Team 51)

WPScan

CVE-2026-2626 Data

JSON