{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2626", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-02-17T13:22:38.616Z", "datePublished": "2026-03-11T06:00:10.837Z", "dateUpdated": "2026-03-11T13:31:01.668Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-03-11T06:00:10.837Z"}, "title": "Divi Booster < 5.0.2 - Unauthenticated PHP Object Injection", "problemTypes": [{"descriptions": [{"description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "divi-booster", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "5.0.2"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize() on the data, this could be further exploited when combined with a PHP gadget chain to achieve PHP Object Injection"}], "references": [{"url": "https://wpscan.com/vulnerability/c8f5e821-1788-419f-a00c-cfd4306d0fa5/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Saif (Team 51)", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-502", "lang": "en", "description": "CWE-502 Deserialization of Untrusted Data"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-352", "lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T13:30:06.213510Z", "id": "CVE-2026-2626", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T13:31:01.668Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-2626", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-11T13:30:06.213510Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T13:28:34.723Z"}}], "cna": {"title": "Divi Booster < 5.0.2 - Unauthenticated PHP Object Injection", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Saif (Team 51)"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "divi-booster", "versions": [{"status": "affected", "version": "0", "lessThan": "5.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/c8f5e821-1788-419f-a00c-cfd4306d0fa5/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize() on the data, this could be further exploited when combined with a PHP gadget chain to achieve PHP Object Injection"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-502 Deserialization of Untrusted Data"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-03-11T06:00:10.837Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2626", "state": "PUBLISHED", "dateUpdated": "2026-03-11T13:31:01.668Z", "dateReserved": "2026-02-17T13:22:38.616Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-03-11T06:00:10.837Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize() on the data, this could be further exploited when combined with a PHP gadget chain to achieve PHP Object Injection"}, {"lang": "es", "value": "El plugin de WordPress divi-booster anterior a 5.0.2 no tiene comprobaciones de autorizaci\u00f3n y CSRF en una de sus funciones de arreglo, lo que permite a usuarios no autenticados modificar opciones almacenadas del plugin de WordPress divi-booster anterior a 5.0.2. Adem\u00e1s, debido al uso de unserialize() en los datos, esto podr\u00eda ser explotado a\u00fan m\u00e1s cuando se combina con una cadena de gadgets de PHP para lograr la inyecci\u00f3n de objetos PHP."}], "id": "CVE-2026-2626", "lastModified": "2026-04-15T15:05:47.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-11T06:17:14.353", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/c8f5e821-1788-419f-a00c-cfd4306d0fa5/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}, {"lang": "en", "value": "CWE-502"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.0.2)"}}], "enrichment": {"confidence": 70.0, "confidence_source": "inferred", "scores": [{"score": 70.0, "source": "inferred"}]}, "original": {"product": "divi-booster", "source": "cna", "vendor": "Unknown"}, "product": "divi-booster", "vendor": "divi-booster"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-17T15:32:34.786512+00:00", "value": {"mitigation_remediation": ["Upgrade Divi Booster to version 5.0.2 or later", "If an upgrade is not possible, remove the plugin or disable its functionality", "Restrict administrative access to WordPress by IP address or network segmentation", "Monitor web server logs for unexpected POST requests to the plugin endpoint"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is the Divi Booster WordPress plugin from an unknown vendor. All installations running a version prior to 5.0.2 are vulnerable. No additional version details are supplied in the CNA data.", "description_and_impact": "The vulnerability in the Divi Booster WordPress plugin allows an attacker to modify plugin options without authentication because the function responsible for updating settings lacks proper authorization and CSRF protection. The function also uses PHP's unserialize() on user\u2011supplied data. This combination enables PHP Object Injection, which can be chained with an existing gadget to execute arbitrary code on the server. The result is a high\u2011impact breach that allows an attacker to compromise the entire WordPress installation, including sensitive data, files, or full system control, as indicated by the CVSS score of 8.1 and the identified weaknesses CWE-502 and CWE-352.", "risk_and_exploitability": "The vulnerability is uncovered by an unauthenticated attacker, meaning no credentials are required to exploit it. The CVSS score of 8.1 classifies it as high severity. The EPSS score of less than 1% suggests limited exploitation probability, and it is not listed in the CISA KEV catalog. Nevertheless, because the path to exploitation is straightforward\u2014sending a crafted payload to the vulnerable function and leveraging a gadget chain\u2014security teams should treat it as high risk and act promptly. The plain web interface can be abused directly, making the attack vector remote and user\u2011friendly."}}}}, "created": "2026-03-12T10:06:24.623673+00:00", "updated": "2026-03-20T14:37:45.379386+00:00", "vendors": ["divi-booster", "divi-booster$PRODUCT$divi-booster", "wordpress", "wordpress$PRODUCT$wordpress"]}