Divi Form Builder <= 5.1.2 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/divi-form-builder--5.1.2/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 21 May 2026 11:02:11 +0000Divi Form Builder Unauthenticated Privilege Escalation via CVE-2026-5118https://feed.craftedsignal.io/briefs/2026-05-divi-form-builder-privesc/Thu, 21 May 2026 11:02:11 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-divi-form-builder-privesc/CVE-2026-5118 is a critical vulnerability in the Divi Form Builder WordPress plugin (versions 5.1.2 and earlier) that allows unauthenticated attackers to create administrator accounts directly through the registration form, leading to full site takeover.A critical vulnerability, CVE-2026-5118, has been identified in the Divi Form Builder WordPress plugin, affecting versions 5.1.2 and earlier. This flaw allows unauthenticated attackers to escalate privileges and create administrator accounts via a registration form. The vulnerability stems from insufficient validation of the ‘role’ parameter in the FormSubmissionHandler.php script during user registration. A publicly available exploit on Sploitus increases the urgency for patching affected systems. Exploitation leads to full site takeover, data breaches (if WooCommerce is installed), remote code execution via plugin/theme modification, persistent access via backdoors, and privacy violations due to access to all user data.

Attack Chain

  1. Target Discovery: The attacker identifies websites using vulnerable versions of the Divi Form Builder plugin by scanning for registration endpoints, crawling homepage links, parsing XML sitemaps, probing the DFB REST API, and analyzing contact pages.
  2. Form Parameter Extraction: The attacker extracts required form parameters, including fb_nonce, form_key, form_type (register), divi-form-submit, and the injectable role parameter.
  3. Role Injection: The attacker crafts a malicious HTTP POST request to /wp-admin/admin-ajax.php, setting the action parameter to de_fb_ajax_submit_ajax_handler and injecting administrator into the role parameter along with other required fields.
  4. Account Creation: The vulnerable create_user() function in FormSubmissionHandler.php creates a new user account with the injected administrator role without proper validation.
  5. Privilege Escalation: The newly created user account is assigned the administrator role, granting full control over the WordPress website.
  6. Verification: The attacker verifies the successful privilege escalation by logging in to /wp-login.php with the created account credentials and accessing the /wp-admin/ dashboard.
  7. Full Site Takeover: The attacker gains complete control over the WordPress site, including the ability to create/delete any user, install/activate/edit plugins (including PHP), edit theme template files, and modify site settings.

Impact

Successful exploitation of CVE-2026-5118 allows an unauthenticated attacker to gain full administrative control over a WordPress website. This can lead to complete site defacement, data theft (including customer data from WooCommerce), installation of malicious plugins or themes for further attacks, and persistent access through backdoors. The number of affected sites is potentially large due to the widespread use of the Divi Form Builder plugin.

Recommendation

  • Immediately update to Divi Form Builder version 5.1.3 or later to patch CVE-2026-5118, as mentioned in the timeline.
  • Deploy the Sigma rule Detect Divi Form Builder Admin Account Creation to monitor for successful exploitation attempts.
  • Monitor wp_users table for new administrator accounts created through suspicious activity, as suggested in the mitigation section.
  • Apply a WAF rule to block requests with the role=administrator parameter in POST requests, as also noted in the mitigation advice.
]]>criticaladvisorycvewordpressprivilege escalationcloud