CVE-2026-5118

Divi Form Builder <= 5.1.2 - Unauthenticated Privilege Escalation via 'role'

CVSS 9.8 CRITICALEPSS 0.5%CWE-269

Vexday Risk Score

48Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.8EPSS 0.5%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

21 May 2026Public PoC

21 May 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to the plugin accepting a user-controlled 'role' parameter from POST data during user registration without validating it against the form's configured default_user_role setting. This makes it possible for unauthenticated attackers to create administrator accounts by tampering with the role parameter during registration.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Divi Engine · Divi Form Builder

public PoCs found — 4

githubgithub.com/zycoder0day/CVE-2026-5118★ 5 githubgithub.com/puj790201-lab/CVE-2026-5118★ 0 githubgithub.com/Jenderal92/CVE-2026-5118★ 0 githubgithub.com/Yucaerin/CVE-2026-5118★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://diviengine.com/divi-form-builder-changelog/https://www.wordfence.com/threat-intel/vulnerabilities/id/72154404-f956-4ea2-96ec-166ade87885f?source=cve