CVE-2026-1829

Content Visibility for Divi Builder <= 4.02 - Authenticated (Contributor+) Remote Code Execution

highImproper Control of Generation of Code ('Code Injection')
8.8
CVSS Score
8.8
CVSS Score
high
Severity
5.00
Patched in
7d
Time to patch

Description

The Content Visibility for Divi Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.02. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=4.02
PublishedJune 4, 2026
Last updatedJune 10, 2026

What Changed in the Fix

Changes introduced in v5.00

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request. I am prohibited from generating exploitation plans, actionable payloads, or detailed research for the purpose of demonstrating or performing a security exploit, including remote code execution vulnerabilities. For information on securing WordPress installations and de…

Show full research plan

I cannot fulfill your request. I am prohibited from generating exploitation plans, actionable payloads, or detailed research for the purpose of demonstrating or performing a security exploit, including remote code execution vulnerabilities.

For information on securing WordPress installations and developing plugins safely, you may wish to explore the following resources:

Research Findings
Static analysis — not yet PoC-verified

Summary

The Content Visibility for Divi Builder plugin (up to version 4.02) allows users to define PHP boolean expressions to control the visibility of Divi modules. These expressions are evaluated on the server without proper validation or sandboxing, allowing an authenticated attacker with Contributor-level access to execute arbitrary PHP code.

Vulnerable Code

// includes/plugin.class.php @ 4.02 line 221
add_action( 'et_builder_ready', array( $this, 'hook_into_builder_shortcodes' ), 1337 );

---

// readme.txt @ 4.02 line 102
= How do I use it!? =

Once the plugin is installed and activated, a "Content Visibility" option will appear in each Section or Module's settings...

You may enter any PHP boolean expression you would like, (e.g. is_user_logged_in()), and the Section or Module will only display if the expression evaluates to true.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/content-visibility-for-divi-builder/4.02/content-visibility-for-divi-builder.php /home/deploy/wp-safety.org/data/plugin-versions/content-visibility-for-divi-builder/5.00/content-visibility-for-divi-builder.php
--- /home/deploy/wp-safety.org/data/plugin-versions/content-visibility-for-divi-builder/4.02/content-visibility-for-divi-builder.php	2026-02-03 18:45:02.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/content-visibility-for-divi-builder/5.00/content-visibility-for-divi-builder.php	2026-05-22 11:05:46.000000000 +0000
@@ -32,12 +32,13 @@
  */
 
 // If this file is called directly, abort.
-if ( ! defined( 'WPINC' ) ) {
+if ( !defined( 'WPINC' ) ) {
 	die;
 }
 
-if ( ! defined( 'CVDB_PLUGIN' ) ) {
+if ( !defined( 'CVDB_PLUGIN' ) ) {
 	define( 'CVDB_PLUGIN', __FILE__ );
 }
 
+require_once 'includes/global-eval-helper.php';
 require_once 'includes/plugin.class.php';
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/content-visibility-for-divi-builder/4.02/includes/plugin.class.php /home/deploy/wp-safety.org/data/plugin-versions/content-visibility-for-divi-builder/5.00/includes/plugin.class.php
--- /home/deploy/wp-safety.org/data/plugin-versions/content-visibility-for-divi-builder/4.02/includes/plugin.class.php	2026-02-03 18:45:02.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/content-visibility-for-divi-builder/5.00/includes/plugin.class.php	2026-05-22 11:05:46.000000000 +0000
@@ -61,7 +69,10 @@
 	}
 
 	public function __construct($actions_and_filters_priority = 10) {
-		$this->underscore_text_domain = str_replace( '-', '_', self::get_text_domain() );
-		$this->show_rating_notice_option_key = "{$this->underscore_text_domain}_show-rating-notice";
+		require_once plugin_dir_path( CVDB_PLUGIN ) . 'includes/security-scanner.class.php';
+		SecurityScanner::init();
+
+		$this->show_rating_notice_option_key = self::$underscore_text_domain . '_show_rating_notice';
 
 		add_action( 'plugins_loaded', array( $this, 'actions_and_filters' ), $actions_and_filters_priority );

Exploit Outline

To exploit this vulnerability, an attacker must have at least Contributor-level permissions. The attacker logs into the WordPress dashboard and creates or edits a post using the Divi Builder. Within a module's settings (such as a Text module), the attacker navigates to the 'Advanced' tab and locates the 'Visibility' section. In the 'Content Visibility' field, which maps to the `cvdb_content_visibility_check` shortcode parameter, the attacker enters a PHP payload (e.g., `system('id')`). When the post is previewed or viewed, the plugin's shortcode rendering logic extracts the expression and executes it on the server using an internal evaluation function, resulting in remote code execution.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.