Arbitrary File Upload Vulnerability in Divi Form Builder Plugin for WordPress
CVE-2026-5524
What is CVE-2026-5524?
The Divi Form Builder plugin for WordPress has a significant vulnerability that allows arbitrary file uploads, leading to potential remote code execution. This issue arises from inadequate validation of file extensions in the do_image_upload() function. User-supplied input can be manipulated, allowing attackers to upload files with executable PHP extensions such as .phtml and .phar. While the plugin attempts to block certain file types using .htaccess, this protection fails on Nginx servers, which do not recognize .htaccess rules. Unauthenticated users can leverage this vulnerability to upload harmful files to the publicly accessible directory (/wp-content/uploads/de_fb_uploads/), enabling them to execute malicious code via HTTP. A partial patch was implemented in version 5.1.3, but the issue remains critical for versions prior to this update.
Affected Version(s)
Divi Form Builder 0 <= 5.1.8