External risk intelligence

Divi Form Builder lets attackers create admin accounts on your WordPress site

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-5118

The Divi Form Builder plugin for WordPress has a critical vulnerability that allows attackers to create administrator accounts on your website without any authentication, potentially leading to a full site takeover.

5Halo Surface Signal

Privilege Escalation

External exposure likelihood

Halo Surface Signal score for CVE-2026-5118

This vulnerability exists within a WordPress plugin responsible for handling user registration forms. These forms are standard features of public-facing web applications and are intended to be accessible to external users via the internet. Because the vulnerable component resides on a public web endpoint, it is exposed by design in normal, common deployments.

PCI scan relevance

PCI Relevance for CVE-2026-5118

Yes

CVE-2026-5118 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows unauthenticated attackers to create administrator accounts in the Divi Form Builder plugin, which could lead to a PCI ASV scan failure due to authentication bypass.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

The Divi Form Builder plugin for WordPress has a critical flaw that could allow anyone to create an administrator account. This happens because the plugin improperly handles user roles during registration, making it possible for unauthorized individuals to gain full control of a website.

Unauthenticated users can create accounts.
Websites using the plugin are at risk.
Administrative access can be obtained.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this flaw to gain administrator access to a WordPress site. By submitting a crafted registration request to the Divi Form Builder, they can manipulate the user role assigned during account creation. This allows them to bypass normal registration procedures and immediately assume elevated privileges.

Unauthenticated access required.
Target vulnerable form registration endpoint.
Tamper 'role' parameter in POST data.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant risk as it allows unauthenticated attackers to easily escalate privileges to administrator level on WordPress sites using the Divi Form Builder plugin. Attackers would be motivated to weaponize this for quick website takeovers, enabling them to deface sites, steal data, or use the compromised site for further malicious activities. While the vulnerability is critical, its direct exploitation is not yet widely observed.

Unauthenticated privilege escalation
Direct exploitation not widely seen
Published in May 2026

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize blocking unauthenticated administrative account creation by patching or mitigating the Divi Form Builder plugin. Review logs for evidence of unauthorized administrator accounts being created, which could indicate exploitation.

Update plugin to version 5.1.3 or later.
Temporarily disable the Divi Form Builder plugin.
Monitor for new administrator user creation.

Frequently asked questions

What is the vulnerability in the Divi Form Builder plugin for WordPress?

The Divi Form Builder plugin for WordPress versions up to and including 5.1.2 has a critical vulnerability that allows for privilege escalation. It incorrectly accepts a user-controlled 'role' parameter during user registration without validating it against the form's default role settings.

How can an attacker exploit the Divi Form Builder vulnerability?

An unauthenticated attacker can exploit this vulnerability by tampering with the 'role' parameter in POST data during the user registration process. This allows them to bypass the intended role assignment and create an administrator account.

What is the impact of the Divi Form Builder privilege escalation flaw?

The impact is critical, as unauthenticated attackers can gain administrator access to a WordPress site. This enables them to take full control, deface the site, steal data, or use the compromised site for further malicious activities.

What is the relevance of the Divi Form Builder vulnerability, and what are its practical responses?

This vulnerability is highly relevant due to its ease of exploitation for creating administrator accounts on WordPress sites. While direct exploitation is not yet widely observed, the risk is significant. Teams should prioritize patching the plugin to version 5.1.3 or later, or temporarily disable it if patching is not immediately possible. Monitoring logs for unauthorized administrator account creation is also recommended.

What are the recommended actions for the Divi Form Builder vulnerability?

To address the Divi Form Builder vulnerability, it is recommended to update the plugin to version 5.1.3 or later. As an alternative, the plugin can be temporarily disabled. It is also advised to review system logs for any signs of unauthorized administrator accounts being created, which could indicate exploitation.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.