HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-5524Published Modified CNA Wordfence

CVE-2026-5524: Divi Form Builder <= 5.1.8 - Unauthenticated Arbitrary File Upload Leading to Remote Code Execution via 'acceptFileTypes' Parameter

The Divi Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload leading to Remote Code Execution in all versions up to and including 5.1.8. This is due to insufficient file extension validation in the do_image_upload() function where user-supplied input from the acceptFileTypes POST parameter is directly interpolated into a regular expression used to validate uploaded files. Attackers can specify PHP-executable extensions such as .phtml, .phar, .php5, or .php7 to bypass the plugin's .htaccess protection which only blocks .php files specifically. Additionally, on Nginx-based servers, the .htaccess protection is completely ineffective as Nginx does not process .htaccess files. This makes it possible for unauthenticated attackers (who can obtain a nonce from any public page containing a form) to upload executable PHP files to the publicly accessible /wp-content/uploads/de_fb_uploads/ directory and achieve Remote Code Execution by accessing the uploaded file via HTTP. The vulnerability was partially patched in version 5.1.3.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Arbitrary file upload leading to remote code execution in the Divi Form Builder plugin for WordPress (versions up to and including 5.1.8). The flaw is reachable over the network with no authentication required: an attacker can obtain a nonce from any public page that contains a form and then supply a crafted acceptFileTypes POST parameter to bypass file-extension validation, uploading a PHP-executable file to a publicly accessible directory. Successful exploitation gives the attacker full remote code execution on the web server. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix version is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-5524 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built WordPress images that bundle the Divi Form Builder plugin.

Available
Triage

HarborGuard scores this finding at CVSS 9.8 Critical (v3.1) and surfaces it with that severity weighting in every matched environment; per-environment compliance policies can further adjust priority and route the alert to the appropriate team or inbox within the customer org.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-evaluates this advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment the upstream vendor ships a corrected release. In the interim, customers can apply compensating controls through HarborGuard policy: network-policy isolation to restrict inbound form-submission traffic, egress filtering on the uploads directory path, and tagging of affected images to block promotion to production until the advisory is resolved.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable upload endpoint is exposed over the network; an attacker must be able to send HTTP POST requests to the target WordPress site.

  • AuthenticationNot required

    No account or credentials are needed; a nonce sufficient to reach the upload handler is obtainable from any public page on the site that renders a Divi form.

  • Victim interactionNot required

    The attacker interacts directly with the server-side endpoint and does not require any action from a logged-in user or administrator.

  • Attack complexityDetail

    Exploitation is reliable and condition-free under the CVSS scoring; the attacker simply supplies the desired extension via the acceptFileTypes parameter and then issues an HTTP request to the uploaded file path to trigger execution.

Blast Radius

  • Reads any file accessible to the web server process, including WordPress configuration files containing database credentials and secret keys.
  • Writes or overwrites arbitrary files within the web root, enabling persistent backdoors or defacement of site content.
  • Executes arbitrary operating system commands as the web server user, potentially pivoting to other services or containers sharing the same host or network namespace.
  • Crashes or degrades the web application by consuming server resources or corrupting application state through executed code.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-5524 is active across connected environments for any image containing the Divi Form Builder plugin at version 5.1.8 or below. Because no upstream fix exists at this time, HarborGuard does not yet have a patched-image rebuild to offer; instead, the advisory is re-evaluated on every ingest cycle so that a rebuild becomes available automatically the moment a fix version is published. While waiting for an upstream patch, customers can use HarborGuard policy controls to apply compensating measures: isolate affected WordPress containers behind a network policy that restricts direct POST access to the upload endpoint, apply egress filtering to prevent outbound connections initiated by uploaded files, and use image promotion gates to block any image carrying the vulnerable plugin version from reaching production. For customers with auto-remediation enabled, a rebuild and regression-test run will be triggered and a PR opened against affected workloads as soon as a fix version is confirmed upstream.

See how HarborGuard automates this
Affected packages
  • Divi Engine / Divi Form Builder
    ≤ 5.1.8
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H