How is CVE-2026-1829 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress instance via HTTP or HTTPS to deliver the malicious shortcode parameter. Authentication (required): A valid WordPress account at Contributor privilege level or higher is required; any low-privilege registered account is sufficient to trigger the vulnerability. Victim interaction (not-required): No victim action is needed - the attacker sends the malicious request directly and the server processes it without any user having to click a link or open a file. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and straightforward with no race conditions, special memory layout, or environmental prerequisites required.

What is the impact of CVE-2026-1829?

Executes arbitrary server-side code under the web server process account, giving the attacker a foothold on the underlying host. Reads any files accessible to the web server process, including WordPress configuration files that contain database credentials and secret keys. Writes or overwrites files on the server, enabling webshell deployment, plugin replacement, or corruption of site content. Causes full service disruption by terminating processes, exhausting resources, or deleting critical application files.

Back to search

HIGHCVE-2026-1829Published 2026-06-02Modified 2026-06-03CNA Wordfence

CVE-2026-1829: Content Visibility for Divi Builder <= 4.02 - Authenticated (Contributor+) Remote Code Execution

Q: What is CVE-2026-1829?

Remote code execution vulnerability in the Content Visibility for Divi Builder WordPress plugin (versions up to and including 4.02). An attacker with at minimum a Contributor-level account can send a crafted shortcode parameter over the network and execute arbitrary code on the server, requiring no victim interaction. Successful exploitation gives the attacker full control over server-side code execution, enabling data theft, file tampering, or complete host compromise. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched rebuild available as soon as upstream ships a fix.

Q: Is CVE-2026-1829 patched?

No upstream fix is currently available for CVE-2026-1829. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is published upstream. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will trigger without manual intervention once the patch lands.

The Content Visibility for Divi Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.02 via the 'et_pb_text' shortcode 'cvdb_content_visibility_check' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Remote code execution vulnerability in the Content Visibility for Divi Builder WordPress plugin (versions up to and including 4.02). An attacker with at minimum a Contributor-level account can send a crafted shortcode parameter over the network and execute arbitrary code on the server, requiring no victim interaction. Successful exploitation gives the attacker full control over server-side code execution, enabling data theft, file tampering, or complete host compromise. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment - CVE-2026-1829 is matched against customer images within minutes of publication, including custom-built WordPress images that bundle the Content Visibility for Divi Builder plugin. Any image containing an affected version of the plugin (4.02 and below) is flagged automatically during both registry scans and CI pipeline checks.

Available

Triage

HarborGuard scores this CVE at CVSS 8.8 (HIGH) and surfaces it with that severity weighting inside each customer environment, adjusted further by any per-environment compliance policy rules. Triage tickets are routed to the relevant team inbox based on each organization's configured ownership mappings.

Available

Patch

No upstream fix is currently available for CVE-2026-1829. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is published upstream. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will trigger without manual intervention once the patch lands.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress instance via HTTP or HTTPS to deliver the malicious shortcode parameter.
AuthenticationRequired
A valid WordPress account at Contributor privilege level or higher is required; any low-privilege registered account is sufficient to trigger the vulnerability.
Victim interactionNot required
No victim action is needed - the attacker sends the malicious request directly and the server processes it without any user having to click a link or open a file.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and straightforward with no race conditions, special memory layout, or environmental prerequisites required.

Blast Radius

Executes arbitrary server-side code under the web server process account, giving the attacker a foothold on the underlying host.
Reads any files accessible to the web server process, including WordPress configuration files that contain database credentials and secret keys.
Writes or overwrites files on the server, enabling webshell deployment, plugin replacement, or corruption of site content.
Causes full service disruption by terminating processes, exhausting resources, or deleting critical application files.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-1829 as of the publication date, the primary action is continuous advisory monitoring. HarborGuard re-checks the upstream feed on every ingest cycle and will trigger a patched-image rebuild automatically the moment a fix version is released. In the interim, compensating controls worth evaluating include network-policy rules that restrict which clients can reach the WordPress installation, disabling the et_pb_text shortcode processing at the application or WAF layer if the feature is not actively required, and tightening account registration policies to prevent untrusted users from obtaining Contributor-level roles. For customers who opt into auto-remediation, the full rebuild, regression test, and PR flow will activate without manual steps as soon as the upstream fix is available. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled, once an upstream fix exists.

See how HarborGuard automates this

Affected packages

jhorowitz / Content Visibility for Divi Builder
≤ 4.02

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified