CVE-2026-5118

CRITICAL 9.8

Divi Form Builder <= 5.1.2 - Unauthenticated Privilege Escalation via 'role'

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to the plugin accepting a user-controlled 'role' parameter from POST data during user registration without validating it against the form's configured default_user_role setting. This makes it possible for unauthenticated attackers to create administrator accounts by tampering with the role parameter during registration.

CWE	CWE-269
Vendor	divi engine
Product	divi form builder
Published	May 21, 2026

Stay Ahead of the Next One

Get instant alerts for divi engine divi form builder

Be the first to know when new critical vulnerabilities affecting divi engine divi form builder are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Divi Engine / Divi Form Builder

0 ≤ 5.1.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/72154404-f956-4ea2-96ec-166ade87885f?source=cve diviengine.com: https://diviengine.com/divi-form-builder-changelog/

Credits

Jude Nwadinobi