WWordPress Vulnerability Database

Public Advisory Divi Content Visibility Code Risk(CVE20261829)

Arbitrary Code Execution in WordPress Content Visibility for Divi Builder Plugin
0
Shares
0
0
0
0
Plugin Name Content Visibility for Divi Builder
Type of Vulnerability Arbitrary Code Execution
CVE Number CVE-2026-1829
Urgency Medium
CVE Publish Date 2026-06-04
Source URL CVE-2026-1829





Authenticated Contributor RCE in Content Visibility for Divi Builder (CVE-2026-1829) — What WordPress Site Owners Must Do Now



Authenticated Contributor RCE in Content Visibility for Divi Builder (CVE-2026-1829) — What WordPress Site Owners Must Do Now

Author: Hong Kong Security Expert | Date: 2026-06-04

Summary

  • Vulnerability: Arbitrary Code Execution (remote code execution) in the Content Visibility for Divi Builder WordPress plugin, affecting versions ≤ 4.02.
  • CVE: CVE-2026-1829
  • Severity: High — CVSS 8.8
  • Required privilege: Authenticated user with Contributor role
  • Patched in: 5.00
  • Risk: Attackers can escalate a low-privileged account to execute arbitrary code on the server — often used in mass compromise campaigns.

As a Hong Kong-based security practitioner I treat this vulnerability as a real and immediate threat to WordPress sites that use the Content Visibility for Divi Builder plugin. Below I explain what the flaw means, how attackers can abuse it, quick mitigations, detection methods, and both emergency and longer-term remediation steps. If your site allows Contributor-level users to log in, read this carefully and act now.

What happened? High-level overview

A vulnerability in the “Content Visibility for Divi Builder” plugin (versions up to 4.02) allows an authenticated attacker with Contributor privileges to perform arbitrary code execution on the hosting environment. This is not a simple content injection — it allows execution of attacker-supplied code on the server. Exploitation can lead to persistent backdoors, lateral movement to other sites on the same server, credential theft, defacements, and spam campaigns.

The vulnerability was publicly disclosed and assigned CVE-2026-1829. A security patch is available in version 5.00 of the plugin, but many sites delay updates due to customisations, testing, or hosting constraints. Rapid mitigation and detection are therefore essential.

Why this vulnerability is dangerous

Contributor accounts are common on multi-author blogs, community sites, and platforms that accept content from external contributors. Contributors normally can create and edit their own posts but cannot install plugins or modify themes. When a plugin permits server-side execution from Contributor-level input, it effectively bypasses the privilege model:

  • Attackers do not need admin credentials to fully compromise a site.
  • Exploits are easy to scale — automated scripts can target many sites quickly.
  • Once code execution is achieved, persistent access may remain even after updates unless backdoors are found and removed.
  • The vulnerability maps to injection patterns: unsafe input is used in a way that influences server behaviour.

Because Contributor accounts are easier to obtain and many sites have multiple contributors, the exploit surface is large. Automated scanners and bots typically attempt exploitation almost immediately after disclosure.

Technical analysis (what likely went wrong)

Public advisories point to arbitrary code execution triggered by an authenticated contributor. Common root causes for this class of vulnerability include:

  • User-controlled input (post meta, shortcode attributes, AJAX payloads, or file uploads) that is later included or executed on the server without proper sanitisation and escaping.
  • Server-side routines directly evaluating content (for example via PHP’s eval or by including a file/template path constructed from user input).
  • AJAX actions or REST endpoints that fail to check capabilities properly, allowing lower-privileged roles to perform admin-intended operations.
  • File upload handlers that allow PHP files (or files that can become executable) without validating MIME types or storage location.

Even if eval is not called explicitly, attackers can chain behaviours (write to a theme/plugin file via write APIs, trick code into including the file, or plant backdoors via templates) to achieve RCE.

Who is affected?

  • Any WordPress site running Content Visibility for Divi Builder plugin versions 4.02 or earlier.
  • Sites that have Contributor accounts (or roles with equivalent capability) and where those users can access the vulnerable functionality.
  • Multisite networks where the plugin is network-activated and Contributors exist on sub-sites.

If you host CMS platforms with user-generated content (guest authors, open submissions, multi-author blogs), treat this as critical even if you think Contributors are “trusted” — attackers routinely create fake contributor accounts.

Immediate actions — do this now (ordered)

  1. Verify plugin version — Log in and check the plugin version. If it’s ≤ 4.02, your site is vulnerable.
  2. Update the plugin — Update Content Visibility for Divi Builder to version 5.00 or later immediately where possible.
  3. If you cannot update immediately, reduce risk:
    • Temporarily deactivate the plugin until you can update or verify a safe timeline.
    • Limit Contributor access: restrict or suspend new contributor logins until the site is secure.
    • Restrict or block the plugin’s endpoints at the webserver or gateway level.
    • Harden file upload directories: disallow PHP execution from /wp-content/uploads/ via .htaccess or server configuration.
  4. Apply virtual protections — Deploy gateway-level protections (WAF rules, webserver access rules) to block exploit patterns while you prepare updates. These are temporary measures, not replacements for the official patch.
  5. Rotate credentials and keys — If compromise is suspected or for prudence after patching, rotate admin passwords, API keys, and any other secrets.
  6. Scan the site immediately — Perform a full malware and integrity scan (files and database) to check for backdoors, unexpected PHP files, changed core files, or rogue DB entries.

Quick webserver and WAF rule suggestions (examples — test before deploying)

These are generic examples to reduce exploit risk when updates are not possible. Test on staging first; overly broad rules can break functionality.

Block uploaded PHP execution (nginx example)

location ~* /wp-content/uploads/.*\.(php|phtml|php5|phar)$ {
    deny all;
    return 403;
}

.htaccess to stop PHP execution in uploads (Apache)


  Order Deny,Allow
  Deny from all

Conceptual WAF approaches

  • Block POST requests to specific plugin endpoints from non-admin sessions (identify plugin AJAX actions or REST routes).
  • Deny requests containing common PHP function names in form fields (exec, shell_exec, system, passthru, base64_decode, eval) when originating from contributor accounts.
  • Prevent uploads that create or modify PHP files under /wp-content/uploads/.

These are defensive layers only. Sophisticated exploit chains may bypass simple rules, so combine virtual patching with plugin updates and monitoring.

Detection: signs of exploitation

Hunt for these indicators:

  • New or modified files you did not place, especially PHP files in:
    • /wp-content/uploads/
    • /wp-content/plugins/ (unexpected files)
    • /wp-content/themes/[theme]/ (unknown files)
  • Unknown admin or contributor user accounts created recently.
  • Suspicious scheduled tasks (wp-cron jobs) or unknown hooks in the DB.
  • Outbound connections to unfamiliar IPs or domains (beacons / C2).
  • High CPU usage or frequent PHP processes.
  • Webserver logs showing unusual POSTs to plugin endpoints, encoded payloads (base64/gzip), or repeated requests from the same IP.
  • Altered core files (compare against clean copies) or DB rows with injected code (e.g.,