## Overview
The Divi Form Builder plugin for WordPress has a critical vulnerability that allows for arbitrary file uploads, leading to remote code execution. This affects all versions up to and including 5.1.8. The issue arises from insufficient validation of file extensions in the do_image_upload() function.
## Technical Details
The vulnerability is triggered when user input from the acceptFileTypes POST parameter is directly used in a regular expression for validating uploaded files. Attackers can exploit this flaw by uploading files with PHP-executable extensions such as .phtml, .phar, .php5, or .php7. This circumvents the plugin's .htaccess protections, which only block .php files. On Nginx servers, .htaccess protections are entirely ineffective, allowing unauthenticated users to upload malicious PHP files to the /wp-content/uploads/de_fb_uploads/ directory.
## Impact
Successful exploitation allows attackers to execute arbitrary PHP code on the server. This can lead to full system compromise, data theft, and further attacks on the website. The vulnerability is rated with a CVSS score of 9.8, indicating its critical nature.
## Mitigation
Defenders should immediately update the Divi Form Builder plugin to version 5.1.9 or later. Additionally, review server configurations to ensure that proper security measures are in place, especially on Nginx servers. Monitor for any unauthorized file uploads and consider implementing additional security layers, such as web application firewalls, to mitigate risks.
CSURFACE Threat Sensor