CVE-2026-5118
CriticalSummary
The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to and including 5.1.2. This is due to the plugin accepting a user-controlled 'role' parameter from POST data during user registration without validating it against the form's configured default_user_role setting.
Risk Assessment
Unauthenticated attackers can create administrator accounts by tampering with the role parameter during registration, posing a serious security threat to the system.
Recommendation
It is recommended to update the Divi Form Builder plugin to the latest version and implement validation of the 'role' parameter during user registration.
Original NVD description (English source)
The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to the plugin accepting a user-controlled 'role' parameter from POST data during user registration without validating it against the form's configured default_user_role setting. This makes it possible for unauthenticated attackers to create administrator accounts by tampering with the role parameter during registration.

