A critical arbitrary file upload flaw in the Divi Form Builder WordPress plugin lets unauthenticated attackers upload executable PHP files and achieve remote code execution on affected sites.
What Is It
CVE-2026-5524 is an arbitrary file upload vulnerability leading to remote code execution (CWE-434) in the Divi Form Builder plugin for WordPress. The flaw lives in the do_image_upload() function, where user-supplied input from the acceptFileTypes POST parameter is interpolated directly into a regular expression used to validate uploaded files. Because the plugin's .htaccess protection only blocks files ending in .php, attackers can supply PHP-executable extensions such as .phtml, .phar, .php5, or .php7 to bypass it. On Nginx-based servers the .htaccess protection is entirely ineffective, since Nginx does not process .htaccess files.
Why It Matters
The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, network-exploitable, low complexity, and requiring no privileges or user interaction. Any attacker who obtains a nonce from a public page containing a form can upload a malicious PHP file to the publicly accessible /wp-content/uploads/de_fb_uploads/ directory, then execute it by requesting it over HTTP. This yields full remote code execution with high impact to confidentiality, integrity, and availability.
What's Vulnerable
- Vendor: Divi Engine
- Product: Divi Form Builder plugin for WordPress
- Affected versions: All versions up to and including 5.1.8
Nginx-hosted sites are especially exposed, as the plugin's file-execution protection does not apply there.
Patch Status
The vulnerability was partially patched in version 5.1.3, but all versions up to and including 5.1.8 remain affected. Administrators should consult the vendor changelog and update to the latest available release. No CISA KEV entry was supplied, so active exploitation is not confirmed in this source material.