A critical (CVSS 9.8) flaw in the Divi Form Builder plugin for WordPress lets unauthenticated attackers register themselves as administrators by tampering with a single POST parameter.
What Is It
CVE-2026-5118 is a privilege escalation vulnerability (CWE-269) in the Divi Form Builder plugin for WordPress, affecting all versions up to and including 5.1.2. The plugin accepts a user-controlled role parameter from POST data during user registration and fails to validate it against the form's configured default_user_role setting. An attacker submitting a registration request can simply override the role value to elevate the new account to administrator.
No authentication, no user interaction, and no special conditions are required. The CVSS 3.1 vector, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reflects a fully remote, low-complexity path to total compromise of confidentiality, integrity, and availability.
Why It Matters
Administrator access on a WordPress site is effectively full control: theme/plugin installation, arbitrary PHP execution, database access, and user takeover. Form Builder plugins from the Divi ecosystem are widely deployed across commercial WordPress sites, so the exposed surface is large. Because exploitation only requires sending crafted POST data to a public registration form, this is the type of bug that gets mass-scanned and weaponized quickly after disclosure.
This CVE is not currently listed in the CISA KEV catalog, so active in-the-wild exploitation has not been federally confirmed at the time of writing.
What's Vulnerable
- Product: Divi Form Builder plugin for WordPress
- Affected versions: All versions up to and including 5.1.2
- Weakness: CWE-269; Improper Privilege Management
- Attack vector: Network (unauthenticated POST request to a registration form)
- Root cause: Missing server-side validation of the
roleparameter against the form'sdefault_user_roleconfiguration
Patch Status
Site operators should update the Divi Form Builder plugin to a version newer than 5.1.2 as soon as a fixed release is available; consult the vendor changelog linked below for the patched version. Until patched, disable or restrict any public-facing forms that use the plugin's user registration functionality, and audit existing administrator accounts for unexpected entries.