GHSA-c9hw-vrgh-hh3mHighCVSS 8.8

The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up...

Published
July 9, 2026
Last Modified
July 9, 2026

🔗 CVE IDs covered (1)

📋 Description

The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This is due to the update_user() function accepting a user ID parameter from form submissions without verifying that the authenticated user has permission to edit that specific user account, and the handle_register_submission() function only checking if any user is logged in rather than validating permissions for the target user. This makes it possible for authenticated attackers, with subscriber-level access and above, to change the email address and password of any user account, including administrators, resulting in complete account takeover.

🔗 References (4)