{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/divi-form-builder--5.1.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Divi Form Builder \u003c= 5.1.2"],"_cs_severities":["critical"],"_cs_tags":["cve","wordpress","privilege escalation","cloud"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-5118, has been identified in the Divi Form Builder WordPress plugin, affecting versions 5.1.2 and earlier. This flaw allows unauthenticated attackers to escalate privileges and create administrator accounts via a registration form. The vulnerability stems from insufficient validation of the \u0026lsquo;role\u0026rsquo; parameter in the FormSubmissionHandler.php script during user registration.  A publicly available exploit on Sploitus increases the urgency for patching affected systems. Exploitation leads to full site takeover, data breaches (if WooCommerce is installed), remote code execution via plugin/theme modification, persistent access via backdoors, and privacy violations due to access to all user data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eTarget Discovery:\u003c/strong\u003e The attacker identifies websites using vulnerable versions of the Divi Form Builder plugin by scanning for registration endpoints, crawling homepage links, parsing XML sitemaps, probing the DFB REST API, and analyzing contact pages.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eForm Parameter Extraction:\u003c/strong\u003e The attacker extracts required form parameters, including \u003ccode\u003efb_nonce\u003c/code\u003e, \u003ccode\u003eform_key\u003c/code\u003e, \u003ccode\u003eform_type\u003c/code\u003e (register), \u003ccode\u003edivi-form-submit\u003c/code\u003e, and the injectable \u003ccode\u003erole\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRole Injection:\u003c/strong\u003e The attacker crafts a malicious HTTP POST request to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e, setting the \u003ccode\u003eaction\u003c/code\u003e parameter to \u003ccode\u003ede_fb_ajax_submit_ajax_handler\u003c/code\u003e and injecting \u003ccode\u003eadministrator\u003c/code\u003e into the \u003ccode\u003erole\u003c/code\u003e parameter along with other required fields.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Creation:\u003c/strong\u003e The vulnerable \u003ccode\u003ecreate_user()\u003c/code\u003e function in \u003ccode\u003eFormSubmissionHandler.php\u003c/code\u003e creates a new user account with the injected \u003ccode\u003eadministrator\u003c/code\u003e role without proper validation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The newly created user account is assigned the \u003ccode\u003eadministrator\u003c/code\u003e role, granting full control over the WordPress website.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVerification:\u003c/strong\u003e The attacker verifies the successful privilege escalation by logging in to \u003ccode\u003e/wp-login.php\u003c/code\u003e with the created account credentials and accessing the \u003ccode\u003e/wp-admin/\u003c/code\u003e dashboard.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFull Site Takeover:\u003c/strong\u003e The attacker gains complete control over the WordPress site, including the ability to create/delete any user, install/activate/edit plugins (including PHP), edit theme template files, and modify site settings.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5118 allows an unauthenticated attacker to gain full administrative control over a WordPress website. This can lead to complete site defacement, data theft (including customer data from WooCommerce), installation of malicious plugins or themes for further attacks, and persistent access through backdoors. The number of affected sites is potentially large due to the widespread use of the Divi Form Builder plugin.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update to Divi Form Builder version 5.1.3 or later to patch CVE-2026-5118, as mentioned in the timeline.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Divi Form Builder Admin Account Creation\u003c/code\u003e to monitor for successful exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003ewp_users\u003c/code\u003e table for new administrator accounts created through suspicious activity, as suggested in the mitigation section.\u003c/li\u003e\n\u003cli\u003eApply a WAF rule to block requests with the \u003ccode\u003erole=administrator\u003c/code\u003e parameter in POST requests, as also noted in the mitigation advice.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T11:02:11Z","date_published":"2026-05-21T11:02:11Z","id":"https://feed.craftedsignal.io/briefs/2026-05-divi-form-builder-privesc/","summary":"CVE-2026-5118 is a critical vulnerability in the Divi Form Builder WordPress plugin (versions 5.1.2 and earlier) that allows unauthenticated attackers to create administrator accounts directly through the registration form, leading to full site takeover.","title":"Divi Form Builder Unauthenticated Privilege Escalation via CVE-2026-5118","url":"https://feed.craftedsignal.io/briefs/2026-05-divi-form-builder-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Divi Form Builder \u003c= 5.1.2","version":"https://jsonfeed.org/version/1.1"}