Arbitrary File Upload Vulnerability in Divi Form Builder Plugin for WordPress
CVE-2026-5524

9.8CRITICAL

Key Information:

Vendor

WordPress

Vendor
CVE Published:
2 July 2026

What is CVE-2026-5524?

The Divi Form Builder plugin for WordPress has a significant vulnerability that allows arbitrary file uploads, leading to potential remote code execution. This issue arises from inadequate validation of file extensions in the do_image_upload() function. User-supplied input can be manipulated, allowing attackers to upload files with executable PHP extensions such as .phtml and .phar. While the plugin attempts to block certain file types using .htaccess, this protection fails on Nginx servers, which do not recognize .htaccess rules. Unauthenticated users can leverage this vulnerability to upload harmful files to the publicly accessible directory (/wp-content/uploads/de_fb_uploads/), enabling them to execute malicious code via HTTP. A partial patch was implemented in version 5.1.3, but the issue remains critical for versions prior to this update.

Affected Version(s)

Divi Form Builder 0 <= 5.1.8

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

0xd4rk5id3
.