CVE-2026-5523: Divi Form Builder missing authorization enables account takeover
TL;DR - Authenticated low-privilege users can change other users’ email and password in vulnerable Divi Form Builder versions. - Affects Divi Form Builder for WordPress up to and including 5.1.8. - Patch immediately to the first fixed release after 5.1.8 and review account-change activity.
1) Vulnerability at a Glance
| Field | Value |
|---|---|
| CVE ID | CVE-2026-5523 |
| CVSS score | 8.8 (High) |
| Attack vector | Authenticated attack path; exact CVSS vector string was not present in the NVD tool output |
| Privileges required | Subscriber-level access and above |
| Patch available | Yes, vulnerable versions are up to and including 5.1.8; defenders should upgrade to the vendor-fixed release after 5.1.8 and verify in the official changelog |
CVE-2026-5523 is a high-severity authorization flaw in the Divi Engine Divi Form Builder plugin for WordPress. According to the NVD description, an authenticated attacker with subscriber-level access or higher can alter the email address and password of arbitrary user accounts, including administrator accounts. In practical terms, that means a low-privilege user can pivot to full site compromise if the plugin is deployed in a vulnerable version.
For defenders, the notable operational detail is that this is not a purely theoretical weakness. The root cause described by NVD is specific and actionable: the plugin accepts a target user ID from form submissions and does not verify whether the logged-in user is actually allowed to modify that account. Any WordPress environment that permits user registration, membership accounts, customer accounts, or contributor/subscriber access should treat this as a priority patching issue.
2) What Is This Vulnerability?
At its core, CVE-2026-5523 is a broken access control issue, specifically a missing authorization check. The NVD states that the plugin’s update_user() function accepts a user ID parameter from form submissions but does not validate whether the authenticated user has permission to edit that specific target account. It further states that the handle_register_submission() function only verifies that some user is logged in, not that the user is authorized to make changes to the referenced account.
That distinction matters. Authentication answers the question “who are you?” Authorization answers “are you allowed to do this?” In this case, the plugin appears to treat “logged in” as sufficient for an account-update operation that should be restricted to either the account owner or a sufficiently privileged administrator. If a subscriber can submit a crafted request naming an administrator’s user ID, and the plugin trusts that parameter, the result is arbitrary account modification.
The impact described by NVD is especially severe because the attacker can change both the target user’s email address and password. Changing the email address can disrupt password recovery and lock out the legitimate owner, while changing the password provides immediate account access. On a WordPress site, compromise of an administrator account generally leads to complete site control, including plugin installation, theme editing, user management, and persistence via malicious code or new admin accounts.
Technical Notes
A simplified illustration of the vulnerable pattern would look like this:
// Illustrative only, based on the NVD description
function handle_register_submission() {
if ( is_user_logged_in() ) {
$target_user_id = $_POST['user_id'];
update_user($target_user_id, $_POST);
}
}
A safer approach would enforce a capability or ownership check before allowing the update:
// Illustrative defensive pattern
function handle_register_submission() {
if ( ! is_user_logged_in() ) {
exit;
}
$target_user_id = intval($_POST['user_id']);
if ( get_current_user_id() !== $target_user_id && ! current_user_can('edit_user', $target_user_id) ) {
wp_die('Unauthorized');
}
update_user($target_user_id, $_POST);
}
3) Who Is Affected?
The affected product is the Divi Engine Divi Form Builder plugin for WordPress. The version range confirmed by the NVD description is “up to and including 5.1.8.” That is the strongest verified versioning statement available in the provided sources, and it should be treated as authoritative unless the vendor later amends its advisory.
Because the vulnerable component is a WordPress plugin, exposure depends on both version and deployment context. Sites that run Divi Form Builder 5.1.8 or earlier and allow any low-privilege authenticated accounts are the most exposed. That includes subscriber-enabled blogs, membership sites, e-commerce stores with customer accounts if the plugin is reachable in a way that authenticated users can abuse, community sites, and any environment where non-admin users can sign in.
The fixed version number is not explicitly quoted in the research note from a fully visible vendor advisory line. The available evidence indicates the issue is fixed in the first release after 5.1.8, which is likely 5.1.9 or later, but defenders should verify the exact fixed version directly in the official Divi Form Builder changelog before documenting closure. In the absence of a directly quoted fix line, the safe guidance is simple: if you are on 5.1.8 or earlier, you should assume you are vulnerable.
Technical Notes
Use WP-CLI to identify the installed plugin version:
wp plugin list --format=table | grep -i "divi-form-builder"
If the slug is not obvious, list all plugins and inspect manually:
wp plugin list --format=csv
Example of what to confirm operationally:
Plugin: Divi Form Builder
Installed version: 5.1.8 or earlier = treat as vulnerable
Installed version: first vendor-fixed release after 5.1.8 or newer = verify changelog and patch status
4) CVSS Score Breakdown
The NVD lists CVE-2026-5523 with a CVSS v3.x base score of 8.8, which places it in the High severity range. That score aligns with the practical impact: a low-privilege authenticated user can take over a privileged account, including administrators, on a vulnerable WordPress site.
However, one important detail is unknown from the supplied NVD tool output: the exact CVSS vector string was not present. That means defenders should not invent or overstate the specific component values such as Attack Complexity, Scope, or Confidentiality/Integrity/Availability impacts beyond what is directly supported by the description. What can be said confidently is that the score reflects a serious vulnerability with meaningful business risk, even though the full vector was not included in the retrieved record.
From a practitioner standpoint, the most relevant scoring implication is not the decimal value alone but the attacker starting position. This is not an unauthenticated internet-wide wormable bug based on the available data. It requires an authenticated account. But because subscriber-level access is enough, the real-world barrier may still be low on sites with open registration or broad user bases. In those environments, a “requires authentication” flag should not be interpreted as a strong mitigating factor.
Technical Notes
Known scoring facts from the sources:
CVSS base score: 8.8
Severity: High
Source: NVD
Exact vector string: not available in the retrieved NVD tool output
Defender assumption in absence of the full vector:
Treat as high-priority due to direct account takeover impact and low required privileges.
5) Exploitation Status
Based on the provided research, active exploitation in the wild is not confirmed. The CISA Known Exploited Vulnerabilities catalog lookup for CVE-2026-5523 returned false, meaning the CVE is not listed in KEV as of 2026-07-09. That does not prove no exploitation exists, but it does mean there is no CISA KEV confirmation to cite.
Likewise, a public proof of concept is not confirmed from the retrieved sources. The research note explicitly states that searches did not return a confirmed public PoC specifically for CVE-2026-5523. That means the evidence-based position is: PoC not confirmed, in-the-wild exploitation not confirmed, KEV-listed no.
Defenders should still avoid complacency. The vulnerability mechanics are straightforward enough that an attacker with plugin awareness may not need a publicly shared PoC. Authorization flaws in WordPress plugins are often reproducible by inspecting form flows, requests, and user update handlers. If your site exposes user registration and runs a vulnerable version, you should act as though exploitation is feasible even without public exploit telemetry.
Technical Notes
Current status summary:
CISA KEV listed: No
Public PoC confirmed from retrieved sources: No
Exploitation in the wild confirmed: No
Operational assumption:
No confirmed public exploitation does not reduce patch urgency for internet-facing WordPress sites with authenticated low-privilege users.
6) How to Detect It
Detection should focus on anomalous user profile changes, especially cases where a low-privilege user account appears to trigger email or password changes for higher-privilege users. Because the reported exploit path involves crafted form submissions carrying a target user ID, defenders should review web server logs, application logs, WordPress audit logs, and security plugin telemetry for suspicious POST requests associated with profile update workflows.
The strongest signal is a sequence where an existing subscriber account logs in and shortly afterward an administrator’s email address or password changes unexpectedly. On sites with audit plugins, look for user profile updates where the acting user and affected user do not match. On sites without WordPress audit logging, fall back to HTTP access logs around form submission endpoints and correlate them with account-change timestamps.
Technical Notes
Example hunting ideas for web logs, assuming standard combined logs or reverse proxy logs:
grep -Ei 'POST .*form' /var/log/nginx/access.log | grep -Ei 'user_id=|email=|pass|password'
Example suspicious pattern to investigate:
Authenticated low-privilege session
-> POST to a Divi Form Builder-related endpoint
-> request contains a target user_id parameter
-> shortly followed by admin login failure, password reset, or email change event
If you have WordPress activity logging, search for profile changes affecting privileged users:
SELECT *
FROM wp_users
WHERE user_email LIKE '%changed-domain%' OR user_login IN ('admin');
If a plugin or audit trail records user modifications, hunt for mismatched actor/target relationships:
actor_role=subscriber AND action IN ("user_update","profile_update","password_change","email_change")
AND target_role IN ("administrator","editor")
A generic SIEM-style query pattern might look like:
index=web OR index=wordpress
(
"user_id=" AND ("password" OR "email")
)
AND ("POST" OR "profile_update" OR "user_update")
Also review WordPress user inventory for recently added admins or changed recovery addresses:
wp user list --role=administrator --fields=ID,user_login,user_email,registered
7) Mitigation and Patching
The confirmed vulnerable range is Divi Form Builder up to and including 5.1.8. The safest mitigation is to upgrade immediately to the vendor-fixed release after 5.1.8 and verify the exact fix in the official Divi Engine changelog. Because the provided source set did not expose the exact vendor text naming the fixed version line, defenders should avoid writing “fixed in 5.1.9” as a hard fact unless they have independently confirmed it from the live vendor advisory. Operationally, though, you should move off 5.1.8 and earlier without delay.
If immediate patching is not possible, reduce exposure by restricting or disabling low-privilege authenticated access where practical, especially open registration and unneeded subscriber accounts. Review whether Divi Form Builder functionality can be temporarily disabled until the plugin is upgraded. Since the issue requires an authenticated user, shrinking the pool of active low-privilege accounts meaningfully reduces risk, though it does not replace patching.
After patching, perform incident-response checks. Review recent password resets, email changes, profile edits, and newly created administrator accounts. Force password resets for privileged users if suspicious changes are found, and rotate any credentials stored in WordPress that an attacker-admin could have accessed, including API keys present in plugins or theme settings.
Technical Notes
Check the installed version:
wp plugin list --format=table | grep -i "divi-form-builder"
Upgrade via WP-CLI if the plugin is sourced through normal WordPress update channels:
wp plugin update divi-form-builder
If the plugin slug differs in your environment, first identify it:
wp plugin list --format=csv
Temporary risk-reduction actions while awaiting maintenance window:
# Disable the plugin temporarily if business impact allows
wp plugin deactivate divi-form-builder
# Review subscriber accounts
wp user list --role=subscriber --fields=ID,user_login,user_email,registered
Post-patch validation steps:
# Confirm plugin version after update
wp plugin list --format=table | grep -i "divi-form-builder"
# Review administrator accounts
wp user list --role=administrator --fields=ID,user_login,user_email,registered
If compromise is suspected, force password resets and inspect for persistence:
wp user update <admin_user> --user_pass="$(openssl rand -base64 24)"
wp plugin list --status=active
wp theme list
8) References
The primary authoritative source for this CVE is the NVD record, which provides the CVE identifier, severity, affected range, and the technical summary of the authorization flaw. That record is the basis for the confirmed statements in this article regarding impact and affected versions.
The secondary references are useful for defender validation and follow-up. The official Divi Engine site and Divi Form Builder product page confirm vendor and product naming. The vendor changelog is the right place to verify the exact fixed version after 5.1.8. The Wordfence entry is a helpful additional reference point for WordPress security teams tracking plugin risk.
- NVD CVE record: https://nvd.nist.gov/vuln/detail/CVE-2026-5523
- CISA Known Exploited Vulnerabilities catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Divi Engine official site: https://diviengine.com
- Divi Form Builder product page: https://diviengine.com/product/divi-form-builder
- Divi Form Builder changelog: https://diviengine.com/divi-form-builder-changelog/
- Wordfence vulnerability reference: https://www.wordfence.com/threat-intel/vulnerabilities/id/cb158acc-69d7-4a7d-b356-7de1f6b37019?source=cve
For further information on WordPress security, you may also want to check our articles on CVE-2026-35075 and CVE-2026-13485.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.