CVE-2026-2626

HIGH 8.1

Divi Booster < 5.0.2 - Unauthenticated PHP Object Injection

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize() on the data, this could be further exploited when combined with a PHP gadget chain to achieve PHP Object Injection

Vendor	unknown
Product	divi-booster
Published	Mar 11, 2026
Last Updated	Mar 11, 2026

Stay Ahead of the Next One

Get instant alerts for unknown divi-booster

Be the first to know when new high vulnerabilities affecting unknown divi-booster are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Unknown / divi-booster

0 < 5.0.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wpscan.com: https://wpscan.com/vulnerability/c8f5e821-1788-419f-a00c-cfd4306d0fa5/

Credits

Saif (Team 51) WPScan