CVE lookup
CVE-2026-5524
Pruva has a verified reproduction for CVE-2026-5524: Divi Form Builder WordPress plugin allows unauthenticated arbitrary file upload via user-controlled acceptFileTypes, leading to RCE by uploading executable PHP extensions and accessing them in /wp-content/uploads/de_fb_uploads/.. The canonical evidence record is REPRO-2026-00252.
REPRO
REPRO-2026-00252
Package
divi-form-builder · wordpress
Severity
CRITICAL
Status
published