Home / Vulnerability Intelligence / CVE-2026-2626

CVE-2026-2626 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 11, 2026

Divi-Booster WordPress - PHP Object Injection

Published: March 11, 2026Updated: March 11, 2026Remote Exploitable

Overview

Divi-Booster WordPress plugin < 5.0.2 contains a PHP Object Injection caused by lack of authorization and CSRF checks combined with unsafe unserialize() usage in a fixing function, letting unauthenticated attackers modify plugin options and potentially execute code.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 2.7%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can modify plugin options and potentially execute arbitrary PHP code, leading to full site compromise.

Mitigation

Update to version 5.0.2 or later.

References

https://wpscan.com/vulnerability/c8f5e821-1788-419f-a00c-cfd4306d0fa5/

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 11, 2026

🟠 CVE-2026-2626 - High (8.1) The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the u... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-2626/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-2626
Severity: High
CVSS Score: 8.1
Type: insecure_deserialization
Status: unconfirmed
EPSS: 2.7%
Social Posts: 1

CWE

CWE-352

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

2.7%Probability of exploitation in the next 30 days