Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2626 is a vulnerability in the Divi Booster WordPress plugin versions prior to 5.0.2. It occurs because the plugin lacks authorization and CSRF (Cross-Site Request Forgery) protections in one of its fixing functions. This allows unauthenticated users to modify stored plugin options.'}, {'type': 'paragraph', 'content': "Additionally, the vulnerability is worsened by the use of PHP's unserialize() function on user-supplied data. This can be exploited through a PHP gadget chain to achieve PHP Object Injection, which can lead to arbitrary code execution on the affected site."}, {'type': 'paragraph', 'content': 'The exploitation involves uploading a specially crafted serialized and compressed payload to the site, which modifies plugin options and can trigger malicious code execution.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized modification of plugin settings by unauthenticated users.

More critically, it can be exploited to perform PHP Object Injection, potentially allowing attackers to execute arbitrary code on the affected WordPress site. This can lead to full site compromise, data theft, defacement, or further attacks on the hosting environment.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to exploit the unauthenticated PHP Object Injection flaw in the Divi Booster plugin versions prior to 5.0.2. The detection involves checking if the Divi theme is active and if the plugin settings page has been saved at least once, which activates the vulnerable code.'}, {'type': 'paragraph', 'content': 'A practical detection method includes creating a serialized PHP payload, compressing it with gzip, and then uploading it via an unauthenticated POST request to the target site.'}, {'type': 'paragraph', 'content': 'Example commands for detection include:'}, {'type': 'list_item', 'content': 'Create a payload file: `php -r \'$p=["poc"=>"owned"]; echo gzencode(serialize($p));\' > poc.conf`'}, {'type': 'list_item', 'content': 'Upload the payload using curl: `curl -i -X POST https://example.com -F "[email protected];type=application/octet-stream"`'}, {'type': 'paragraph', 'content': 'After uploading, verify if the plugin option `wtfdivi` in the WordPress database (wp_options table) has been modified to confirm the vulnerability.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Divi Booster WordPress plugin to version 5.0.2 or later, where the issue has been fixed.

This update includes authorization and CSRF checks in the fixing function, preventing unauthenticated users from modifying stored plugin options and blocking the PHP Object Injection attack vector.

Useful 0 Not Useful 0