PT-2026-42460 · WordPress · Divi Form Builder
Jude Nwadinobi
·
Published
2026-05-21
·
Updated
2026-05-23
·
CVE-2026-5118
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Divi Form Builder versions prior to 5.1.3
Description
The Divi Form Builder plugin for WordPress allows unauthenticated attackers to create administrator accounts. This occurs because the plugin accepts a user-controlled
role parameter from POST data during user registration without validating it against the configured default user role setting, leading to privilege escalation.Recommendations
Update to a version later than 5.1.2.
Fix
LPE
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Divi Form Builder