CVE-2026-5523
WordPress Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-5523 is a Missing Authorization / Authorization Bypass vulnerability in the Divi Form Builder plugin for WordPress, affecting versions up to and including 5.1.8. The flaw allows authenticated attackers with subscriber-level access or higher to take over any user account, including administrator accounts, by changing their email address and password. It was published on July 9, 2026, and assigned a CVSS v3.1 base score of 8.8 (High) (GitHub Advisory, Wordfence).

Détails techniques

The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key). Two specific functions are at fault: the update_user() function accepts a user ID parameter directly from form submissions without verifying that the requesting user has permission to modify that specific account, and the handle_register_submission() function only checks whether any user is logged in rather than validating whether the authenticated user has rights over the target account. This allows an attacker to supply an arbitrary user ID in a crafted form submission to modify credentials for any account on the WordPress site (GitHub Advisory, Wordfence).

Impact

Successful exploitation enables complete account takeover of any WordPress user account, including site administrators, by changing the target account's email address and password. This results in high confidentiality, integrity, and availability impact — an attacker who seizes an administrator account gains full control of the WordPress site, including the ability to install malicious plugins, exfiltrate data, deface content, or pivot to the underlying server. All sites running Divi Form Builder ≤ 5.1.8 with at least one registered subscriber-level user are at risk (GitHub Advisory, Wordfence).

Étapes d’exploitation

  1. Reconnaissance: Identify WordPress sites running the Divi Form Builder plugin (version ≤ 5.1.8) by inspecting page source, HTTP headers, or using tools like WPScan.
  2. Obtain low-privilege access: Register or log in as a subscriber-level (or higher) user on the target WordPress site.
  3. Identify target user ID: Enumerate WordPress user IDs via the REST API (/wp-json/wp/v2/users) or by inspecting author archive URLs to find the administrator's user ID.
  4. Craft malicious form submission: Submit a Divi Form Builder form request that calls the update_user() or handle_register_submission() function, supplying the administrator's user ID along with attacker-controlled email and password values in the POST parameters.
  5. Account takeover: Because no authorization check validates that the authenticated user owns the target account, the server updates the administrator's credentials. The attacker then logs in as the administrator using the newly set credentials, achieving full site control (GitHub Advisory, Wordfence).

Indicateurs de compromis

  • Logs: WordPress authentication logs showing a subscriber-level account logging in, followed shortly by an administrator account login from a different IP or user agent; wp-login.php access logs showing password reset or email change events for high-privilege accounts.
  • Database: Unexpected changes to the user_email or user_pass fields in the wp_users table for administrator accounts, particularly if the change timestamp does not align with known admin activity.
  • Network: Unusual POST requests to Divi Form Builder form endpoints containing user ID parameters referencing accounts other than the authenticated user; repeated form submissions targeting multiple user IDs in quick succession.
  • WordPress Admin Events: Audit log entries (if a logging plugin is installed) showing user profile updates initiated by a subscriber-level account for a different user's record.

Atténuation et solutions de contournement

Update the Divi Form Builder plugin to a version later than 5.1.8, which includes the fix for this authorization bypass (Divi Engine Changelog). As an interim workaround, restrict subscriber and contributor role capabilities to prevent unauthorized user modifications, and consider disabling user registration if not required. Implement server-side authorization checks to ensure users can only modify their own accounts. Monitor WordPress user account changes and access logs for suspicious activity targeting administrator accounts (Wordfence).

Réactions de la communauté

The vulnerability was reported by Wordfence, which published the threat intelligence entry on July 9, 2026 (Wordfence). A CVEnew Twitter/Nitter post was observed shortly after disclosure, indicating routine community tracking of the CVE. No significant broader media coverage or notable researcher commentary beyond standard vulnerability aggregator entries has been identified at this time.

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté WordPress Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-5523HIGH8.8
  • divi-form-builder
NonOuiJul 09, 2026
CVE-2026-6820HIGH7.2
  • vikbooking
NonOuiJul 08, 2026
CVE-2026-6740MEDIUM6.4
  • the-plus-addons-for-block-editor
NonOuiJul 08, 2026
CVE-2026-6459MEDIUM6.4
  • essential-addons-for-elementor-lite
NonOuiJul 08, 2026
CVE-2026-5459MEDIUM5.3
  • wp-user-frontend
NonOuiJul 08, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités