CVE-2026-1829 in Content Visibility for Divi Builder Plugin
Summary
by MITRE • 06/03/2026
The Content Visibility for Divi Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.02 via the 'et_pb_text' shortcode 'cvdb_content_visibility_check' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/03/2026
The Content Visibility for Divi Builder plugin presents a critical remote code execution vulnerability that affects all versions up to and including 4.02. This flaw resides within the et_pb_text shortcode implementation and specifically targets the cvdb_content_visibility_check parameter, creating a significant security risk for WordPress installations. The vulnerability's exploitation requires only authenticated access with Contributor-level privileges or higher, making it particularly dangerous as it can be leveraged by users who already have partial system access. The attack vector involves manipulating the cvdb_content_visibility_check parameter to inject malicious code that executes on the target server with the privileges of the web application.
The technical implementation of this vulnerability stems from inadequate input validation and sanitization within the plugin's shortcode processing logic. When the et_pb_text shortcode processes the cvdb_content_visibility_check parameter, it fails to properly validate or sanitize user-supplied data before incorporating it into server-side operations. This creates a classic path for code injection attacks where malicious payloads can be executed within the context of the WordPress environment. The vulnerability aligns with CWE-94, which describes improper validation of critical control items, and represents a direct exploitation of insufficient input sanitization in web applications. Attackers can leverage this weakness to execute arbitrary commands on the server, potentially leading to complete system compromise.
The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with persistent access to the compromised WordPress installation. Once exploited, authenticated attackers can manipulate content visibility settings to hide malicious activities while maintaining their foothold. The vulnerability affects the entire Divi Builder ecosystem and can be particularly damaging in multi-user environments where contributors might have unintended access to sensitive server operations. This weakness can be exploited to establish backdoors, exfiltrate data, or further compromise the WordPress installation through additional attack vectors. The low privilege requirement for exploitation means that even relatively low-privilege users can cause significant damage to the system's integrity.
Mitigation strategies for this vulnerability should prioritize immediate plugin updates to versions that address the code execution flaw, as patched versions typically implement proper input validation and sanitization measures. Administrators should also implement network-level restrictions and monitor for unusual activity related to content visibility settings. The principle of least privilege should be enforced by limiting contributor-level access to only necessary functions, as this reduces the attack surface for such vulnerabilities. Additionally, implementing web application firewalls and monitoring for suspicious shortcode parameter usage can help detect exploitation attempts. This vulnerability demonstrates the importance of proper input validation in WordPress plugins and aligns with ATT&CK technique T1059, which covers execution through command and scripting interpreters, emphasizing the need for robust sanitization of user inputs in web applications.