CVE-2026-5524
Deferred Deferred - Pending Action

Arbitrary File Upload in Divi Form Builder Plugin

Vulnerability report for CVE-2026-5524, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: Wordfence

Description

The Divi Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload leading to Remote Code Execution in all versions up to and including 5.1.8. This is due to insufficient file extension validation in the do_image_upload() function where user-supplied input from the acceptFileTypes POST parameter is directly interpolated into a regular expression used to validate uploaded files. Attackers can specify PHP-executable extensions such as .phtml, .phar, .php5, or .php7 to bypass the plugin's .htaccess protection which only blocks .php files specifically. Additionally, on Nginx-based servers, the .htaccess protection is completely ineffective as Nginx does not process .htaccess files. This makes it possible for unauthenticated attackers (who can obtain a nonce from any public page containing a form) to upload executable PHP files to the publicly accessible /wp-content/uploads/de_fb_uploads/ directory and achieve Remote Code Execution by accessing the uploaded file via HTTP. The vulnerability was partially patched in version 5.1.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
divi_engine divi_form_builder to 5.1.8 (inc)
elegant_themes divi_form_builder to 5.1.8 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Divi Form Builder plugin for WordPress has a vulnerability that allows attackers to upload arbitrary files, including executable PHP files, due to insufficient validation of file extensions in the upload process.

Specifically, the do_image_upload() function uses user-supplied input from the acceptFileTypes POST parameter directly in a regular expression to validate uploaded files, which can be manipulated to bypass protections.

Attackers can upload files with PHP-executable extensions such as .phtml, .phar, .php5, or .php7, which bypass the plugin's .htaccess protection that only blocks .php files.

On Nginx servers, this .htaccess protection is ineffective, making it possible for unauthenticated attackers to upload executable PHP files to a publicly accessible directory and execute remote code by accessing those files via HTTP.

This vulnerability affects all versions up to and including 5.1.8 and was partially patched in version 5.1.3.

Impact Analysis

This vulnerability can have severe impacts including allowing unauthenticated attackers to execute arbitrary code on your server remotely.

By uploading malicious PHP files, attackers can gain control over your WordPress site, potentially leading to data theft, site defacement, or using your server as a launchpad for further attacks.

The vulnerability has a high severity score (CVSS 9.8), indicating it is easy to exploit and can cause complete compromise of confidentiality, integrity, and availability.

Mitigation Strategies

The vulnerability is due to insufficient file extension validation in the Divi Form Builder plugin versions up to and including 5.1.8, allowing arbitrary file uploads and remote code execution.

Immediate mitigation steps include updating the Divi Form Builder plugin to a version later than 5.1.8 where the vulnerability is patched.

Additionally, on Nginx-based servers, since .htaccess files are not processed, consider implementing server-level restrictions to block execution of PHP files in the /wp-content/uploads/de_fb_uploads/ directory.

Restricting upload permissions and monitoring the /wp-content/uploads/de_fb_uploads/ directory for suspicious files can also help mitigate risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5524. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart