divi-booster Vulnerability (High) – CVE-2026-2626

divi-booster Vulnerability (High) – CVE-2026-2626

by | Mar 19, 2026 | Plugins

Attack Vectors

Divi Booster (WordPress plugin slug: divi-booster) has a High-severity vulnerability (CVE-2026-2626, CVSS 8.1; CVE record) that can be reached by unauthenticated attackers over the internet. This means the attacker does not need a login, and no user interaction is required.

While the CVSS vector indicates the attack is not “one-click easy” (it has higher attack complexity), it is still a meaningful business risk because it can be tested and attempted remotely and repeatedly against public-facing sites.

Security Weakness

The issue is a PHP Object Injection weakness in Divi Booster versions up to 5.0.2, caused by deserialization of untrusted input. In practical terms, the plugin can be tricked into processing attacker-supplied data in a way that may create unexpected objects on your server.

According to the referenced advisory, no known “POP chain” is present in the vulnerable software. However, if a usable chain exists elsewhere in your environment (for example, from another installed plugin or theme), this weakness can become far more dangerous and lead to broader compromise.

Technical or Business Impacts

If attackers can combine this vulnerability with a compatible chain from another plugin/theme, impacts can include arbitrary file deletion, retrieval of sensitive data, or code execution. For business owners and executives, this translates into risks such as site downtime, defacement, lead loss, disrupted campaigns, and potential exposure of customer or business data.

Even without confirmed exploitation in your specific stack, a High-severity issue affecting an unauthenticated attack surface should be treated as urgent because it increases the likelihood of incident response costs, reputational damage, and compliance concerns—especially if the website supports ecommerce, form submissions, account logins, or stores marketing/customer data.

Remediation: Update Divi Booster to version 5.0.2 (or a newer patched release) as recommended by the source advisory: Wordfence vulnerability report.

Similar Attacks

PHP deserialization and object injection issues have been used in real-world attacks against popular web platforms when attackers could pair the weakness with a workable gadget chain:

CVE-2015-8562 (Joomla) — Object injection leading to remote code execution
CVE-2018-15133 (Laravel) — Deserialization-related remote code execution

Vantage Vulnerability (Medium) – CVE-2026-5070

by

Attack Vectors CVE-2026-5070 is a Medium severity vulnerability (CVSS 6.4) affecting the Vantage WordPress theme (slug: vantage) in versions up to and including 1.20.32. It enables authenticated users with Contributor access or higher to inject malicious script into a...

WP Docs Vulnerability (Medium) – CVE-2026-3878

by

Attack Vectors CVE-2026-3878 is a Medium severity Stored Cross-Site Scripting (XSS) vulnerability (CVSS 6.4) affecting the WP Docs WordPress plugin (wp-docs) in versions 2.2.9 and below. The issue is exploitable by an authenticated user with Subscriber-level access or...

Recent Comments

    WPFore Subscribers