PT-2026-55198 · WordPress · Divi Form Builder

0Xd4Rk5Id3

·

Published

2026-07-02

·

Updated

2026-07-02

·

CVE-2026-5524

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Divi Form Builder versions prior to 5.1.9
Description Insufficient file extension validation in the do image upload() function allows unauthenticated attackers to perform arbitrary file uploads, leading to Remote Code Execution. The issue occurs because user-supplied input from the acceptFileTypes POST parameter is directly interpolated into a regular expression used for validation. Attackers can bypass .htaccess protections by using PHP-executable extensions such as .phtml, .phar, .php5, or .php7. On Nginx-based servers, the .htaccess protection is entirely ineffective. An attacker can obtain a nonce from any public page containing a form to upload executable PHP files to the /wp-content/uploads/de fb uploads/ directory and execute them via HTTP.
Recommendations Update Divi Form Builder to version 5.1.9 or later. As a temporary mitigation, restrict access to the /wp-content/uploads/de fb uploads/ directory to prevent the execution of uploaded files.

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-5524

Affected Products

Divi Form Builder