CVE-2026-5524

CRITICAL EXPLOITED

Divi Form Builder <= 5.1.8 - Unauthenticated Arbitrary File Upload Leading to Remote Code Execution via 'acceptFileTypes' Parameter

Title source: cna
STIX 2.1

Exploitation Summary

CVE-2026-5524 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including caterscam.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-5524, an unauthenticated remote code execution vulnerability in Divi Form Builder <= 5.1.8. The exploit leverages a file upload vulnerability via a regex injection in the 'acceptFileTypes' parameter to upload malicious PHP shells, bypassing WAF/ModSecurity restrictions.

Description

The Divi Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload leading to Remote Code Execution in all versions up to and including 5.1.8. This is due to insufficient file extension validation in the do_image_upload() function where user-supplied input from the acceptFileTypes POST parameter is directly interpolated into a regular expression used to validate uploaded files. Attackers can specify PHP-executable extensions such as .phtml, .phar, .php5, or .php7 to bypass the plugin's .htaccess protection which only blocks .php files specifically. Additionally, on Nginx-based servers, the .htaccess protection is completely ineffective as Nginx does not process .htaccess files. This makes it possible for unauthenticated attackers (who can obtain a nonce from any public page containing a form) to upload executable PHP files to the publicly accessible /wp-content/uploads/de_fb_uploads/ directory and achieve Remote Code Execution by accessing the uploaded file via HTTP. The vulnerability was partially patched in version 5.1.3.

Exploits (1)

nomisec WORKING POC
by caterscam · remote
https://github.com/caterscam/CVE-2026-5524-PoC

This repository contains a functional exploit for CVE-2026-5524, an unauthenticated remote code execution vulnerability in Divi Form Builder <= 5.1.8. The exploit leverages a file upload vulnerability via a regex injection in the 'acceptFileTypes' parameter to upload malicious PHP shells, bypassing WAF/ModSecurity restrictions.

Classification
Working Poc 98%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Divi Form Builder <= 5.1.8 (WordPress plugin)
No auth needed
Prerequisites: Target must have Divi Form Builder plugin installed (<= 5.1.8) · WordPress site must allow file uploads via the plugin's AJAX endpoint · Attacker must be able to reach the target's wp-admin/admin-ajax.php endpoint
mistral-large-3 · analyzed Jul 04, 2026 Full analysis →

Scores

CVSS v3 9.8
EPSS 0.0054
EPSS Percentile 41.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2026-07-02
CWE
CWE-434
Status published
Products (1)
Divi Engine/Divi Form Builder < 5.1.8
Published Jul 02, 2026
Tracked Since Jul 02, 2026