Skip to content

CVE lookup

CVE-2026-5524

Pruva has a verified reproduction for CVE-2026-5524: Divi Form Builder WordPress plugin allows unauthenticated arbitrary file upload via user-controlled acceptFileTypes, leading to RCE by uploading executable PHP extensions and accessing them in /wp-content/uploads/de_fb_uploads/.. The canonical evidence record is REPRO-2026-00252.

REPRO

REPRO-2026-00252

Package

divi-form-builder · wordpress

Severity

CRITICAL

Status

published