PatchSiren cyber security CVE debrief
CVE-2026-5118 Divi Engine CVE debrief
CVE-2026-5118 is a critical privilege-escalation issue in the Divi Form Builder plugin for WordPress, affecting versions up to and including 5.1.2. The core problem is that registration requests accept a user-controlled 'role' parameter from POST data without validating it against the form's configured default_user_role setting. According to the source description, this can let unauthenticated attackers create administrator accounts by tampering with the registration request. The CVE was published on 2026-05-21.
- Vendor
- Divi Engine
- Product
- Divi Form Builder
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
WordPress site owners and administrators using Divi Form Builder 5.1.2 or earlier, especially environments that allow public user registration. Security teams, managed WordPress hosts, and incident responders should treat this as urgent because it can lead to immediate administrator-level compromise without authentication.
Technical summary
The vulnerability is a registration-time authorization bypass: the plugin accepts a POST-supplied role value and fails to constrain it to the form's configured default_user_role. The source corpus classifies the weakness as CWE-269 and assigns a CVSS 3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, consistent with remote, unauthenticated privilege escalation with high impact. The provided description states the issue is present in versions up to and including 5.1.2.
Defensive priority
Immediate. This is a critical, unauthenticated path to administrator account creation, so exposure should be assumed high until the plugin is confirmed remediated or removed.
Recommended defensive actions
- Inventory WordPress sites for Divi Form Builder installations and confirm the installed version.
- Treat versions 5.1.2 and earlier as vulnerable based on the supplied source description.
- Review public registration workflows and disable them temporarily if they are not required.
- Apply the vendor's remediation or update to a fixed version as soon as it is available in the official changelog or plugin release notes.
- Audit WordPress administrator accounts and recent account-creation activity for suspicious registrations.
- If compromise is suspected, rotate credentials, invalidate active sessions, and review site admin settings and plugin changes.
- Monitor the official CVE/NVD record and the Divi Form Builder changelog for versioning and fix confirmation.
Evidence notes
The description and CVSS data come from the supplied NVD-derived source item for CVE-2026-5118, which lists a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and CWE-269. The source description states that Divi Form Builder up to and including 5.1.2 accepts a user-controlled 'role' parameter during registration without validating it against the configured default_user_role, enabling unauthenticated administrator-account creation. The reference set includes the official CVE record, the NVD detail page, the NVD source item URL, the Divi Form Builder changelog, and a Wordfence threat-intel reference. Vendor mapping in the provided data is low-confidence, so the product label should be treated carefully.
Official resources
Publicly disclosed in the CVE/NVD record on 2026-05-21, with source references pointing to Wordfence threat intelligence and the Divi Form Builder changelog.