PT-2026-55198 · WordPress · Divi Form Builder
0Xd4Rk5Id3
·
Published
2026-07-02
·
Updated
2026-07-02
·
CVE-2026-5524
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Divi Form Builder versions prior to 5.1.9
Description
Insufficient file extension validation in the
do image upload() function allows unauthenticated attackers to perform arbitrary file uploads, leading to Remote Code Execution. The issue occurs because user-supplied input from the acceptFileTypes POST parameter is directly interpolated into a regular expression used for validation. Attackers can bypass .htaccess protections by using PHP-executable extensions such as .phtml, .phar, .php5, or .php7. On Nginx-based servers, the .htaccess protection is entirely ineffective. An attacker can obtain a nonce from any public page containing a form to upload executable PHP files to the /wp-content/uploads/de fb uploads/ directory and execute them via HTTP.Recommendations
Update Divi Form Builder to version 5.1.9 or later.
As a temporary mitigation, restrict access to the
/wp-content/uploads/de fb uploads/ directory to prevent the execution of uploaded files.Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Divi Form Builder