Divi Form Builder

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to the plugin accepting a user-controlled 'role' parameter from POST data during user registration without validating it against the form's configured default_user_role setting. This makes it possible for unauthenticated attackers to create administrator accounts by tampering with the role parameter during registration.

AI Analysis

Unauthenticated privilege escalation vulnerability in Divi Form Builder plugin for WordPress

Basic Information

ID CVE-2026-5118

Source Wordfence

Published May 21, 2026 at 11:32

Affected Product

Vendor Divi Engine

Product Divi Form Builder

Affected Versions Divi Engine Divi Form Builder 0

CWE Classification

CWE-269

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor Divi Engine

Product Divi Form Builder

Version 5.1.2

References

{
    "lastseen": "",
    "description": "The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to the plugin accepting a user-controlled 'role' parameter from POST data during user registration without validating it against the form's configured default_user_role setting. This makes it possible for unauthenticated attackers to create administrator accounts by tampering with the role parameter during registration.",
    "published": "2026-05-21T11:32:00.451Z",
    "modified": "2026-05-21T11:32:00.451Z",
    "type": "cve",
    "title": "Divi Form Builder <= 5.1.2 - Unauthenticated Privilege Escalation via 'role'",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/72154404-f956-4ea2-96ec-166ade87885f?source=cve\nhttps://diviengine.com/divi-form-builder-changelog/",
    "id": "CVE-2026-5118",
    "bulletinFamily": "",
    "cwe": [
        "CWE-269"
    ],
    "cvelist": null,
    "sourceData": "Divi Engine Divi Form Builder 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Divi Form Builder",
    "version": "0",
    "vendor": "Divi Engine",
    "ai_description": "Unauthenticated privilege escalation vulnerability in Divi Form Builder plugin for WordPress",
    "ai_severity": "Critical",
    "ai_vendor": "Divi Engine",
    "ai_product": "Divi Form Builder",
    "ai_version": "5.1.2",
    "ai_score": 9.8
}

Divi Form Builder <= 5.1.2 - Unauthenticated Privilege Escalation via 'role'_CVE-2026-5118