Description
The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize() on the data, this could be further exploited when combined with a PHP gadget chain to achieve PHP Object Injection
References (1)
Core 1
Core References
Third Party Advisory exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/c8f5e821-1788-419f-a00c-cfd4306d0fa5/
Scores
CVSS v3
8.1
EPSS
0.0016
EPSS Percentile
5.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-352
CWE-502
Status
published
Published
Mar 11, 2026
Tracked Since
Mar 11, 2026