The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This is due to the update_user() function accepting a user ID parameter from form submissions without verifying that the authenticated user has permission to edit that specific user account, and the handle_register_submission() function only checking if any user is logged in rather than validating permissions for the target user. This makes it possible for authenticated attackers, with subscriber-level access and above, to change the email address and password of any user account, including administrators, resulting in complete account takeover.
Metrics
Affected Vendors & Products
References
History
Thu, 09 Jul 2026 07:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Divi Engine
Divi Engine divi Form Builder Wordpress Wordpress wordpress |
|
| Vendors & Products |
Divi Engine
Divi Engine divi Form Builder Wordpress Wordpress wordpress |
Thu, 09 Jul 2026 05:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This is due to the update_user() function accepting a user ID parameter from form submissions without verifying that the authenticated user has permission to edit that specific user account, and the handle_register_submission() function only checking if any user is logged in rather than validating permissions for the target user. This makes it possible for authenticated attackers, with subscriber-level access and above, to change the email address and password of any user account, including administrators, resulting in complete account takeover. | |
| Title | Divi Form Builder <= 5.1.8 - Authenticated (Subscriber+) Missing Authorization to Privilege Escalation via User Profile Update Form | |
| Weaknesses | CWE-639 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-07-09T04:32:54.346Z
Reserved: 2026-04-04T00:04:43.797Z
Link: CVE-2026-5523
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-09T07:15:14Z