CVE-2026-2626
Unauthorized PHP Object Injection in divi-booster WordPress Plugin
Publication date: 2026-03-11
Last updated on: 2026-03-11
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| divi_booster | divi_booster | to 5.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2626 is a vulnerability in the Divi Booster WordPress plugin versions prior to 5.0.2. It occurs because the plugin lacks authorization and CSRF (Cross-Site Request Forgery) protections in one of its fixing functions. This allows unauthenticated users to modify stored plugin options.'}, {'type': 'paragraph', 'content': "Additionally, the vulnerability is worsened by the use of PHP's unserialize() function on user-supplied data. This can be exploited through a PHP gadget chain to achieve PHP Object Injection, which can lead to arbitrary code execution on the affected site."}, {'type': 'paragraph', 'content': 'The exploitation involves uploading a specially crafted serialized and compressed payload to the site, which modifies plugin options and can trigger malicious code execution.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized modification of plugin settings by unauthenticated users.
More critically, it can be exploited to perform PHP Object Injection, potentially allowing attackers to execute arbitrary code on the affected WordPress site. This can lead to full site compromise, data theft, defacement, or further attacks on the hosting environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to exploit the unauthenticated PHP Object Injection flaw in the Divi Booster plugin versions prior to 5.0.2. The detection involves checking if the Divi theme is active and if the plugin settings page has been saved at least once, which activates the vulnerable code.'}, {'type': 'paragraph', 'content': 'A practical detection method includes creating a serialized PHP payload, compressing it with gzip, and then uploading it via an unauthenticated POST request to the target site.'}, {'type': 'paragraph', 'content': 'Example commands for detection include:'}, {'type': 'list_item', 'content': 'Create a payload file: `php -r \'$p=["poc"=>"owned"]; echo gzencode(serialize($p));\' > poc.conf`'}, {'type': 'list_item', 'content': 'Upload the payload using curl: `curl -i -X POST https://example.com -F "[email protected];type=application/octet-stream"`'}, {'type': 'paragraph', 'content': 'After uploading, verify if the plugin option `wtfdivi` in the WordPress database (wp_options table) has been modified to confirm the vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Divi Booster WordPress plugin to version 5.0.2 or later, where the issue has been fixed.
This update includes authorization and CSRF checks in the fixing function, preventing unauthenticated users from modifying stored plugin options and blocking the PHP Object Injection attack vector.