CVE-2026-5118

Vulnerability

The Divi Form Builder plugin for WordPress versions up to and including 5.1.2 contains a privilege escalation vulnerability during user registration. The plugin accepts a user-controlled role parameter from POST data without validating it against the form's configured default_user_role setting. This allows the registration endpoint to be abused to assign any arbitrary role, including Administrator, to a newly created account. The affected version range is all versions up to 5.1.2 [1].

Exploitation

An unauthenticated attacker can exploit this by sending a crafted POST request to the user registration endpoint provided by the plugin. By including a role=administrator (or any other desired role slug) in the POST data, the plugin will create a new user with that role, bypassing the intended restriction to the form's default user role. No authentication or special network position is required beyond normal web access to the WordPress site running the vulnerable plugin [1].

Impact

Successful exploitation gives the attacker a fully privileged administrator account on the affected WordPress site. This leads to complete compromise of confidentiality, integrity, and availability, as an administrator can install plugins, modify content, and access all data. The vulnerability is rated Critical with a CVSS v3 score of 9.8 [1].

Mitigation

The vulnerability has been fixed in version 5.1.8 of the Divi Form Builder plugin, released on May 18, 2026. Users should update immediately to version 5.1.8 or later. No workaround is documented in the available references [1].