PT-2026-56697 · WordPress · Divi Form Builder
0Xd4Rk5Id3
·
Published
2026-07-09
·
Updated
2026-07-09
·
CVE-2026-5523
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Divi Form Builder versions prior to 5.1.9
Description
Missing authorization allows authenticated attackers with subscriber-level access or higher to perform a complete account takeover. The issue occurs because the
update user() function accepts a user ID parameter from form submissions without verifying if the authenticated user has permission to edit that specific account. Additionally, the handle register submission() function only checks if a user is logged in rather than validating permissions for the target user. This enables the modification of email addresses and passwords for any account, including administrators.Recommendations
Update Divi Form Builder to version 5.1.9 or later.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Divi Form Builder