CVE-2026-2626 PUBLISHED

Divi Booster < 5.0.2 - Unauthenticated PHP Object Injection

Assigner: WPScan
Reserved: 17.02.2026 Published: 11.03.2026 Updated: 11.03.2026

The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize() on the data, this could be further exploited when combined with a PHP gadget chain to achieve PHP Object Injection

Product Status

Vendor	Unknown
Product	divi-booster
Versions	Default: unaffected affected from 0 to 5.0.2 (excl.)

Credits

Saif (Team 51) finder
WPScan coordinator

References

https://wpscan.com/vulnerability/c8f5e821-1788-419f-a00c-cfd4306d0fa5/

Problem Types

CWE-502 Deserialization of Untrusted Data CWE
CWE-352 Cross-Site Request Forgery (CSRF) CWE