highCVE-2026-5523

Divi Form Builder WordPress Plugin Account Takeover Vulnerability

The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This is due to the update_user() function accepting a user ID parameter from form submissions without verifying that the authenticated user has permission to edit that specific user account, and the handle_register_submission() function only checking if any user is logged in rather than validating permissions for the target user. This makes it possible for authenticated attackers, with subscriber-level access and above, to change the email address and password of any user account, including administrators, resulting in complete account takeover.

ProductDivi Form Builder
CVSS8.8
EPSS0.00309
UpdatedJuly 10, 2026

Quick answer

Divi Form Builder should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Divi Form Builder up to and including 5.1.8

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

Divi Form Builder up to 5.1.8 allowed subscriber-level users to change another user email or password through missing authorization checks. Update the plugin immediately and review user accounts for takeover indicators.

  1. Inventory WordPress sites using Divi Form Builder version 5.1.8 or earlier.
  2. Update Divi Form Builder to a fixed vendor-supported release, or disable the plugin until a fix is deployed.
  3. Force password resets for administrator, editor, customer, and other privileged WordPress users if exploitation is possible.
  4. Review user email changes, password reset events, account role changes, and new administrator accounts.
  5. Remove suspicious users, sessions, application passwords, and API tokens from affected WordPress sites.
  6. Enable MFA for administrators and restrict subscriber registration where it is not required.
  7. Review server files and plugins for follow-on persistence after potential account takeover.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm Divi Form Builder is updated beyond the affected 5.1.8 version or disabled.
  • Validate a subscriber cannot modify another user email or password.
  • Review WordPress audit logs for account takeover activity.
  • Confirm privileged user sessions and application passwords were reset where needed.
  • Run a Fixnx scan and verify the affected WordPress endpoints are not exploitable.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-5523?

Divi Form Builder versions listed as affected should be reviewed: Divi Form Builder up to and including 5.1.8.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.