logo

Critical RCE Vulnerability in Divi Form Builder Plugin for WordPress

ID: e05f037b-1feb-51ca-92a7-95c59d05cdb3

STIX ID: report--e05f037b-1feb-51ca-92a7-95c59d05cdb3

Feed Name: ThreatCluster

Threat Score
75/100

Date Published: 2026-07-03

Date Updated: 2026-07-03

...
...

Divi Form Builder (<= 5.1.8) contains an unauthenticated arbitrary file upload vulnerability in do_image_upload() that allows attackers to upload executable PHP files (e.g., .phtml, .phar) and achieve remote code execution by bypassing .htaccess protections; the issue carries a CVSS 9.8, a partial fix in 5.1.3 is incomplete, and administrators (especially on Nginx) are advised to update beyond 5.1.8 and apply server-level protections — no proof-of-concept or active exploitation reported.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.