🚨 BREAKING

Divi Form Builder Privilege Escalation: Unauthenticated Admin Account Creation

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityprivilege-escalationcwe-269
Divi Form Builder Privilege Escalation: Unauthenticated Admin Account Creation

The Divi Form Builder plugin for WordPress, in versions up to and including 5.1.2, is vulnerable to a critical privilege escalation. According to the National Vulnerability Database, this flaw (CVE-2026-5118) stems from the plugin’s failure to properly validate the ‘role’ parameter during user registration. An attacker can manipulate this parameter in POST data, bypassing the form’s configured default user role setting.

This oversight allows unauthenticated attackers to create administrator accounts directly. The National Vulnerability Database assigns a CVSS score of 9.8 (CRITICAL) to this vulnerability, underscoring its severe impact. The root cause is identified as CWE-269, improper privilege management.

For any organization running Divi Form Builder, this is a glaring exposure. It’s a direct path for any unauthenticated actor to gain full administrative control over a WordPress site, leading to complete compromise. The attacker’s calculus here is simple: find a vulnerable Divi site, register with a tampered ‘role’ parameter, and own the environment.

What This Means For You

  • If your organization utilizes the Divi Form Builder plugin for WordPress, you must immediately verify its version. Patch to a secure version beyond 5.1.2 without delay. Audit recent user registrations for any suspicious administrator accounts created by unknown users.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Abuse Cloud Account Persistence T1548.002 Setuid and Setgid Privilege Escalation

🛡️ Detection Rules

6 rules · 6 SIEM formats

6 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

Web Application Exploitation Attempt — CVE-2026-5118

Sigma YAML — free preview 
title: Web Application Exploitation Attempt — CVE-2026-5118
id: scw-2026-05-21-1
status: experimental
level: high
description: |
  Detects common exploitation patterns targeting web applications. Review CVE-2026-5118 advisories for specific indicators.
author: SCW Feed Engine (auto-generated)
date: 2026-05-21
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-5118/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri-query|contains:
        - '..'
        - 'SELECT'
        - 'UNION'
        - '<script'
        - 'cmd='
        - '/etc/passwd'
      condition: selection
falsepositives:
  - Legitimate activity from CVE-2026-5118

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-5118 Privilege Escalation Divi Form Builder plugin for WordPress
CVE-2026-5118 Privilege Escalation Divi Form Builder plugin versions <= 5.1.2
CVE-2026-5118 Privilege Escalation User registration with user-controlled 'role' POST parameter
CVE-2026-5118 Privilege Escalation Lack of validation against form's configured default_user_role setting

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 21, 2026 at 16:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-42396 — Insufficient Validation of Member Zone Data May Cause

CVE-2026-42396 — Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail

vulnerabilityCVEmedium-severity
/SCW Vulnerability Desk /MEDIUM /4.9 /⚑ 1 IOC /⚙ 1 Sigma

CVE-2026-42002 — Concurrency and locking defects in

CVE-2026-42002 — Concurrency and locking defects in GSS-TSIG

vulnerabilityCVEmedium-severity
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 1 IOC /⚙ 3 Sigma

CVE-2026-42001: Autoprimary SOA Queries Vulnerability

CVE-2026-42001 — Insufficient Validation of Autoprimary SOA Queries

vulnerabilityCVEhigh-severity
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 1 IOC /⚙ 4 Sigma