SYS::ONLINE
Wasteland.
Briefs1079
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-5524 2026-07-02

CVE-2026-5524: Critical Unauthenticated RCE in Divi Form Builder for WordPress

"A critical arbitrary file upload flaw in the Divi Form Builder WordPress plugin lets unauthenticated attackers upload executable PHP files and achieve remote code execution on affected sites."

A critical arbitrary file upload flaw in the Divi Form Builder WordPress plugin lets unauthenticated attackers upload executable PHP files and achieve remote code execution on affected sites.

What Is It

CVE-2026-5524 is an arbitrary file upload vulnerability leading to remote code execution (CWE-434) in the Divi Form Builder plugin for WordPress. The flaw lives in the do_image_upload() function, where user-supplied input from the acceptFileTypes POST parameter is interpolated directly into a regular expression used to validate uploaded files. Because the plugin's .htaccess protection only blocks files ending in .php, attackers can supply PHP-executable extensions such as .phtml, .phar, .php5, or .php7 to bypass it. On Nginx-based servers the .htaccess protection is entirely ineffective, since Nginx does not process .htaccess files.

Why It Matters

The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, network-exploitable, low complexity, and requiring no privileges or user interaction. Any attacker who obtains a nonce from a public page containing a form can upload a malicious PHP file to the publicly accessible /wp-content/uploads/de_fb_uploads/ directory, then execute it by requesting it over HTTP. This yields full remote code execution with high impact to confidentiality, integrity, and availability.

What's Vulnerable

Nginx-hosted sites are especially exposed, as the plugin's file-execution protection does not apply there.

Patch Status

The vulnerability was partially patched in version 5.1.3, but all versions up to and including 5.1.8 remain affected. Administrators should consult the vendor changelog and update to the latest available release. No CISA KEV entry was supplied, so active exploitation is not confirmed in this source material.

Sources