
PEACH
Un cadre d’isolation des locataires
CVE-2026-5523 is a Missing Authorization / Authorization Bypass vulnerability in the Divi Form Builder plugin for WordPress, affecting versions up to and including 5.1.8. The flaw allows authenticated attackers with subscriber-level access or higher to take over any user account, including administrator accounts, by changing their email address and password. It was published on July 9, 2026, and assigned a CVSS v3.1 base score of 8.8 (High) (GitHub Advisory, Wordfence).
The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key). Two specific functions are at fault: the update_user() function accepts a user ID parameter directly from form submissions without verifying that the requesting user has permission to modify that specific account, and the handle_register_submission() function only checks whether any user is logged in rather than validating whether the authenticated user has rights over the target account. This allows an attacker to supply an arbitrary user ID in a crafted form submission to modify credentials for any account on the WordPress site (GitHub Advisory, Wordfence).
Successful exploitation enables complete account takeover of any WordPress user account, including site administrators, by changing the target account's email address and password. This results in high confidentiality, integrity, and availability impact — an attacker who seizes an administrator account gains full control of the WordPress site, including the ability to install malicious plugins, exfiltrate data, deface content, or pivot to the underlying server. All sites running Divi Form Builder ≤ 5.1.8 with at least one registered subscriber-level user are at risk (GitHub Advisory, Wordfence).
/wp-json/wp/v2/users) or by inspecting author archive URLs to find the administrator's user ID.update_user() or handle_register_submission() function, supplying the administrator's user ID along with attacker-controlled email and password values in the POST parameters.wp-login.php access logs showing password reset or email change events for high-privilege accounts.user_email or user_pass fields in the wp_users table for administrator accounts, particularly if the change timestamp does not align with known admin activity.Update the Divi Form Builder plugin to a version later than 5.1.8, which includes the fix for this authorization bypass (Divi Engine Changelog). As an interim workaround, restrict subscriber and contributor role capabilities to prevent unauthorized user modifications, and consider disabling user registration if not required. Implement server-side authorization checks to ensure users can only modify their own accounts. Monitor WordPress user account changes and access logs for suspicious activity targeting administrator accounts (Wordfence).
The vulnerability was reported by Wordfence, which published the threat intelligence entry on July 9, 2026 (Wordfence). A CVEnew Twitter/Nitter post was observed shortly after disclosure, indicating routine community tracking of the CVE. No significant broader media coverage or notable researcher commentary beyond standard vulnerability aggregator entries has been identified at this time.
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."