{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-5524/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-07-02T15:00:12.782Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-5524","@id":"https://www.cve.org/CVERecord?id=CVE-2026-5524","description":"The Divi Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload leading to Remote Code Execution in all versions up to and including 5.1.8. This is due to insufficient file extension validation in the do_image_upload() function where user-supplied input from the acceptFileTypes POST parameter is directly interpolated into a regular expression used to validate uploaded files. Attackers can specify PHP-executable extensions such as .phtml, .phar, .php5, or .php7 to bypass the plu"},"products":[{"@id":"cpe:2.3:a:divi_engine:divi_form_builder:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:divi_engine:divi_form_builder:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"No fixed version is published yet; monitor the upstream advisory.","timestamp":"2026-07-02T15:00:12.782Z"}]}