Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-5118: Divi Form Builder plugin allows attackers to create admin accounts
CVE-2026-5118
Summary
The Divi Form Builder plugin for WordPress has a security issue that allows unauthenticated attackers to create administrator accounts. This is a concern because an attacker with an admin account can access and modify sensitive data. To protect your website, update the Divi Form Builder plugin to the latest version.
Original title
The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to the plugin accepting a user-controlled 'role' parameter from...
Original description
The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to the plugin accepting a user-controlled 'role' parameter from POST data during user registration without validating it against the form's configured default_user_role setting. This makes it possible for unauthenticated attackers to create administrator accounts by tampering with the role parameter during registration.
nvd CVSS3.1
9.8
Vulnerability type
CWE-269
Improper Privilege Management
Published: 21 May 2026 · Updated: 28 May 2026 · First seen: 21 May 2026