External risk intelligence

Divi Form Builder Arbitrary File Upload RCE.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-5524

This is a vulnerability in a WordPress plugin designed for form building. Such plugins are intentionally configured to be public-facing to accept user submissions, and the vulnerability allows unauthenticated attackers to upload and execute files via web requests to the public-facing WordPress site.

Unrestricted File Upload

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

The Divi Form Builder plugin for WordPress has a critical vulnerability that could allow unauthenticated attackers to upload malicious files and execute code on your website. This could potentially lead to a compromise of your site's integrity and data.

  • Allows unauthenticated file uploads.
  • Critical security flaw in a popular WordPress plugin.
  • Assess relevance and exposure of the plugin.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by leveraging the Divi Form Builder plugin's insufficient file type validation to upload a malicious PHP file. Since the plugin is publicly accessible and does not require authentication to interact with its forms, an attacker could obtain a necessary token from a public page and then upload an executable file. This uploaded file could then be accessed over HTTP, allowing the attacker to execute arbitrary code on the server.

  • Unauthenticated access to a public form.
  • Uploading specially crafted executable files.
  • Achieve remote code execution on the server.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow unauthenticated attackers to upload and execute PHP files on a WordPress site when the Divi Form Builder plugin is used. This could occur if the server uses Nginx or if the plugin's .htaccess protection is bypassed on Apache servers, enabling attackers to run arbitrary code by accessing the uploaded file.

  • Arbitrary PHP files on the server.
  • Uploading executable files via crafted requests.
  • Remote code execution and site compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

Security and platform teams are likely responsible for addressing this vulnerability, as it affects a WordPress plugin's file upload functionality. The immediate first step is to identify all WordPress sites using the Divi Form Builder plugin, determine their exposure and business criticality, and then coordinate remediation efforts, potentially involving vendor communication if the plugin vendor has not fully addressed the issue.

  • WordPress administrators and platform owners.
  • Verify plugin presence and external reachability.
  • Plan vendor-coordinated remediation or mitigation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Divi Form Builder plugin?

Divi Form Builder is a tool for WordPress websites used to create and manage custom forms. It allows site owners to collect data, files, or submissions from visitors directly through their web pages. Because it handles incoming user data, the plugin is designed to process and store files uploaded by site visitors, making it a critical component for interactive site features.

What is CWE-434 in the context of CVE-2026-5524?

CWE-434 refers to 'Unrestricted Upload of File with Dangerous Type.' In this CVE, the plugin fails to properly check if an uploaded file is a safe type like an image. Because it allows attackers to upload files with extensions like .php5 or .phtml, the server may mistakenly process these files as executable scripts instead of treating them as harmless data, leading to unauthorized code execution.

How do attackers trigger this vulnerability?

Attackers can trigger this by sending a crafted request to the plugin that bypasses file name checks. They do not need a login because they can retrieve the necessary security token from any public page containing a form. The vulnerability is not triggered if the server environment strictly prevents the execution of uploaded files, but relying on standard file protection is often insufficient.

Do I need to worry about CVE-2026-5524?

Yes, if you use this plugin on an internet-facing WordPress site, your risk is elevated. Halo Surface Signal indicates this is a high-priority concern because the plugin is built to be public-facing, meaning these forms are designed to accept traffic from anywhere. If your site is accessible over the internet, an attacker can reach the form and attempt to exploit the file upload process remotely.

What steps should I take if I use Divi Form Builder?

First, locate all WordPress installations in your environment that have this plugin enabled. Verify if your server configuration relies on .htaccess for security, noting that Nginx servers may not use these files at all, which changes your risk profile. Prioritize updating the plugin to the latest version, as this is the primary way to address the underlying file validation logic flaw.

References