GHSA-c9hw-vrgh-hh3mHighCVSS 8.8
The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up...
🔗 CVE IDs covered (1)
📋 Description
The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This is due to the update_user() function accepting a user ID parameter from form submissions without verifying that the authenticated user has permission to edit that specific user account, and the handle_register_submission() function only checking if any user is logged in rather than validating permissions for the target user. This makes it possible for authenticated attackers, with subscriber-level access and above, to change the email address and password of any user account, including administrators, resulting in complete account takeover.