HIGH 8.8

CVE-2026-1829: Content Visibility for Divi Builder Plugin RCE (v4.02 and below)

The Content Visibility for Divi Builder plugin for WordPress contains a critical flaw that allows attackers with basic WordPress user access to run arbitrary code on affected servers. The vulnerability exists in how the plugin processes a specific shortcode parameter without proper validation, creating a direct path to server compromise. Any WordPress installation using this plugin up to version 4.02 is at risk if it has users with Contributor access or higher privileges.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-94
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

The Content Visibility for Divi Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.02 via the 'et_pb_text' shortcode 'cvdb_content_visibility_check' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-1829 is a Remote Code Execution vulnerability in the Content Visibility for Divi Builder plugin affecting all versions through 4.02. The flaw resides in the 'et_pb_text' shortcode's 'cvdb_content_visibility_check' parameter, which fails to properly sanitize or validate user input before processing. This allows authenticated users at the Contributor privilege level and above to inject and execute arbitrary PHP code on the server. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code), indicating a code generation flaw rather than injection into existing code paths.

Business impact

This vulnerability poses severe operational and security risks. An attacker with Contributor-level access—such as a freelance designer, content author, or any user with publishing permissions—can execute arbitrary code with the same privileges as the WordPress application itself. This enables complete server compromise, data theft, malware installation, lateral movement within your network, and potential supply chain attacks if the affected site serves as an intermediary. The authentication requirement means insider threats and compromised lower-privileged accounts become immediate critical threats. Organizations running Divi-based sites should treat this as a priority incident.

Affected systems

WordPress installations running the Content Visibility for Divi Builder plugin in any version up to and including 4.02 are vulnerable. The attack surface includes any site where Contributor-level or higher users exist. This typically affects multi-author sites, agency environments, client portals, and any WordPress deployment where non-administrator users have publishing rights. The vulnerability does not require administrator privileges to exploit, significantly broadening the threat actor pool.

Exploitability

The vulnerability has a CVSS score of 8.8 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating high exploitability in real-world conditions. The attack is network-accessible, requires low attack complexity, and needs only low privileges (Contributor level). No user interaction is required—an attacker can trigger it directly through the WordPress REST API or classic post/page editing. The lack of user interaction requirement makes exploitation straightforward and difficult to detect through behavioral monitoring alone. However, the authentication requirement does prevent completely unauthenticated attacks.

Remediation

Immediately update the Content Visibility for Divi Builder plugin to a version newer than 4.02. Verify the vendor's advisory for the specific patched version number. Until patching is possible, consider disabling the plugin entirely if not actively used, or restrict Contributor-level access to only trusted, essential personnel. Review your WordPress user roster and revoke unnecessary Contributor and Editor access. Monitor access logs for unusual shortcode usage or code execution patterns.

Patch guidance

Check the plugin's official repository or vendor advisory for versions released after June 17, 2026 (the last modification date for this CVE). Apply the patch during a maintenance window with a backup taken beforehand. Verify the plugin loads without errors and test any dependent page templates post-update. If the vendor has not yet released a patch despite the disclosure date, consider alternative Divi visibility plugins or evaluate site architecture changes to reduce reliance on this component.

Detection guidance

Search WordPress post and page content for the 'et_pb_text' shortcode combined with 'cvdb_content_visibility_check' parameters, especially those containing suspicious code or eval/assert functions. Monitor web access logs for requests to the WordPress REST API or admin-ajax.php endpoints containing these shortcode parameters. Enable WordPress security logging and audit user actions from Contributor-level accounts. Use file integrity monitoring to detect unexpected changes to plugin files or wp-config.php modifications. Review database records for post revisions and meta data containing encoded payloads.

Why prioritize this

This vulnerability merits immediate remediation due to its HIGH severity score, code execution impact, and the broad user base of Divi Builder. The authentication requirement is the only mitigating factor—it prevents external exploitation by random internet actors but does not protect against insider threats, compromised user accounts, or supply chain attacks. Organizations with multi-author sites or agency-style setups face acute risk. The six-month gap between publication (June 2) and modification (June 17) suggests ongoing research or patch development; prioritize patching before exploit code becomes widely available.

Risk score, explained

The CVSS 8.8 score reflects the combination of network accessibility, low attack complexity, low privilege requirements, no user interaction needed, and complete confidentiality, integrity, and availability impact. This is a worst-case scenario for code execution—an insider or account-compromised attacker can fully control the server. The only reason this is not a 9.0+ is the requirement for prior authentication; unauthenticated RCE would be critical/CVSS 9+.

Frequently asked questions

Do we need administrator access to exploit this vulnerability?

No. The vulnerability requires only Contributor-level access, which is a standard WordPress role for authors and content editors. This significantly broadens the threat actor pool compared to vulnerabilities requiring administrator privileges.

Will updating Divi Builder itself fix this issue?

This vulnerability is specific to the Content Visibility for Divi Builder plugin, not the core Divi Builder theme or plugin. You must update the Content Visibility for Divi Builder plugin separately. Verify the exact patched version from the vendor's advisory.

Can this be exploited through the REST API or only through the WordPress admin interface?

The shortcode parameter can be weaponized through multiple vectors including REST API requests, classic post editing, and any context where the shortcode is processed. Attackers do not need to use the WordPress admin UI directly, making detection more challenging.

If we disable user registrations, does this eliminate the risk?

Only if you have zero Contributor-level users and manage all site content exclusively through administrator accounts. However, disabling registrations does not protect against insider threats or compromised admin accounts already in the system. Patching is the proper solution.

This analysis is based on disclosed information as of the modification date (June 17, 2026). Patch version numbers and specific vendor remediation guidance should be verified directly against the official plugin repository or vendor security advisory before deployment. SEC.co does not provide exploit code or weaponized proof-of-concepts. Organizations should conduct internal risk assessments and testing in non-production environments before applying patches to production systems. This content is for informational purposes and does not constitute professional security advice tailored to your specific environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).