๐Ÿ” CVE Alert

CVE-2026-5524

CRITICAL 9.8

Divi Form Builder <= 5.1.8 - Unauthenticated Arbitrary File Upload Leading to Remote Code Execution via 'acceptFileTypes' Parameter

CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th

The Divi Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload leading to Remote Code Execution in all versions up to and including 5.1.8. This is due to insufficient file extension validation in the do_image_upload() function where user-supplied input from the acceptFileTypes POST parameter is directly interpolated into a regular expression used to validate uploaded files. Attackers can specify PHP-executable extensions such as .phtml, .phar, .php5, or .php7 to bypass the plugin's .htaccess protection which only blocks .php files specifically. Additionally, on Nginx-based servers, the .htaccess protection is completely ineffective as Nginx does not process .htaccess files. This makes it possible for unauthenticated attackers (who can obtain a nonce from any public page containing a form) to upload executable PHP files to the publicly accessible /wp-content/uploads/de_fb_uploads/ directory and achieve Remote Code Execution by accessing the uploaded file via HTTP. The vulnerability was partially patched in version 5.1.3.

CWE CWE-434
Vendor divi engine
Product divi form builder
Published Jul 2, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for divi engine divi form builder

Be the first to know when new critical vulnerabilities affecting divi engine divi form builder are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

Divi Engine / Divi Form Builder
0 โ‰ค 5.1.8

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/9692deb2-2526-4983-8a13-93a382e230c8?source=cve diviengine.com: https://diviengine.com/divi-form-builder-changelog/

Credits

0xd4rk5id3