CVE Catalog

CVE-2026-5118

Critical
Published: Translated: NVD NIST

Summary

The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to and including 5.1.2. This is due to the plugin accepting a user-controlled 'role' parameter from POST data during user registration without validating it against the form's configured default_user_role setting.

Risk Assessment

Unauthenticated attackers can create administrator accounts by tampering with the role parameter during registration, posing a serious security threat to the system.

Recommendation

It is recommended to update the Divi Form Builder plugin to the latest version and implement validation of the 'role' parameter during user registration.

Original NVD description (English source)

The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to the plugin accepting a user-controlled 'role' parameter from POST data during user registration without validating it against the form's configured default_user_role setting. This makes it possible for unauthenticated attackers to create administrator accounts by tampering with the role parameter during registration.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS