PT-2026-56697 · WordPress · Divi Form Builder

0Xd4Rk5Id3

·

Published

2026-07-09

·

Updated

2026-07-09

·

CVE-2026-5523

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Divi Form Builder versions prior to 5.1.9
Description Missing authorization allows authenticated attackers with subscriber-level access or higher to perform a complete account takeover. The issue occurs because the update user() function accepts a user ID parameter from form submissions without verifying if the authenticated user has permission to edit that specific account. Additionally, the handle register submission() function only checks if a user is logged in rather than validating permissions for the target user. This enables the modification of email addresses and passwords for any account, including administrators.
Recommendations Update Divi Form Builder to version 5.1.9 or later.

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-5523

Affected Products

Divi Form Builder