{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/elegant-themes/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5523"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Divi Form Builder plugin \u003c= 5.1.8"],"_cs_severities":["medium"],"_cs_tags":["wordpress","plugin","vulnerability","web-application","account-takeover","missing-authorization"],"_cs_type":"advisory","_cs_vendors":["Elegant Themes"],"content_html":"\u003cp\u003eThe Divi Form Builder plugin for WordPress, in versions up to and including 5.1.8, contains a critical Missing Authorization vulnerability, tracked as CVE-2026-5523. This flaw stems from the \u003ccode\u003eupdate_user()\u003c/code\u003e and \u003ccode\u003ehandle_register_submission()\u003c/code\u003e functions, which fail to adequately verify user permissions when processing form submissions. Specifically, \u003ccode\u003eupdate_user()\u003c/code\u003e accepts a user ID parameter without confirming the authenticated user's authority to modify that account, while \u003ccode\u003ehandle_register_submission()\u003c/code\u003e merely checks for any logged-in user instead of validating specific target user permissions. This allows authenticated attackers with even subscriber-level access to manipulate user accounts. Exploitation can lead to changing the email address and password of any user, including administrators, culminating in complete account takeover. This vulnerability is significant for WordPress site defenders using the affected plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker, possessing subscriber-level credentials, logs into the vulnerable WordPress site running the Divi Form Builder plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting a Divi Form Builder endpoint that leverages the \u003ccode\u003eupdate_user()\u003c/code\u003e or \u003ccode\u003ehandle_register_submission()\u003c/code\u003e functions.\u003c/li\u003e\n\u003cli\u003eWithin the crafted request, the attacker includes a user ID parameter corresponding to a target user (e.g., an administrator account) and new values for the \u003ccode\u003euser_email\u003c/code\u003e and \u003ccode\u003euser_pass\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eThe Divi Form Builder plugin, specifically versions up to 5.1.8, processes this request without performing sufficient authorization checks on the supplied user ID.\u003c/li\u003e\n\u003cli\u003eDue to the missing authorization, the plugin proceeds to update the email address and password of the targeted user account in the WordPress database.\u003c/li\u003e\n\u003cli\u003eThe attacker then uses the newly set credentials to successfully log in to the compromised account, achieving full account takeover.\u003c/li\u003e\n\u003cli\u003eIf an administrator account was targeted, the attacker now possesses complete administrative control over the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5523 grants authenticated attackers, even those with low-privilege subscriber accounts, the ability to take over any user account on the affected WordPress site. This includes administrator accounts, leading to a complete compromise of the website. An attacker with administrative control can deface the site, inject malicious code, steal sensitive data, install backdoors, or use the site for further attacks. The CVSS v3.1 Base Score for this vulnerability is 8.8, indicating high severity and potential for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch CVE-2026-5523 by updating the Divi Form Builder plugin for WordPress to version 5.1.9 or higher.\u003c/li\u003e\n\u003cli\u003eReview all user accounts for any unauthorized changes to email addresses or passwords since the plugin was installed.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies and multi-factor authentication (MFA) for all WordPress user accounts, especially administrators.\u003c/li\u003e\n\u003cli\u003eConsider deploying a Web Application Firewall (WAF) to potentially filter requests attempting to exploit known vulnerabilities like CVE-2026-5523.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T06:17:43Z","date_published":"2026-07-09T06:17:43Z","id":"https://feed.craftedsignal.io/briefs/2026-07-divi-form-builder-auth-bypass/","summary":"The Divi Form Builder plugin for WordPress versions up to 5.1.8 is vulnerable to Missing Authorization, allowing authenticated attackers with subscriber-level access to change the email and password of any user, including administrators, by exploiting improper authorization checks in the update_user() and handle_register_submission() functions, enabling complete account takeover.","title":"Divi Form Builder Missing Authorization Vulnerability (CVE-2026-5523) Leads to Account Takeover","url":"https://feed.craftedsignal.io/briefs/2026-07-divi-form-builder-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Elegant Themes","version":"https://jsonfeed.org/version/1.1"}