CVE-2026-1829 Overview
CVE-2026-1829 is a Remote Code Execution (RCE) vulnerability in the Content Visibility for Divi Builder plugin for WordPress. The flaw affects all versions up to and including 4.02. It resides in the et_pb_text shortcode handler, specifically the cvdb_content_visibility_check parameter, which is processed without proper validation. Authenticated users with Contributor-level access or higher can supply attacker-controlled input that the plugin evaluates on the server, leading to arbitrary code execution. The weakness is classified as CWE-94: Improper Control of Generation of Code.
Critical Impact
A Contributor account is sufficient to achieve full code execution on the underlying WordPress host, compromising site confidentiality, integrity, and availability.
Affected Products
- Content Visibility for Divi Builder plugin for WordPress, versions ≤ 4.02
- WordPress sites with the Divi Builder ecosystem and this plugin installed
- Sites permitting Contributor-level user registration or with compromised low-privilege accounts
Discovery Timeline
- 2026-06-02 - CVE-2026-1829 published to NVD
- 2026-06-04 - Last updated in NVD database
Technical Details for CVE-2026-1829
Vulnerability Analysis
The Content Visibility for Divi Builder plugin extends the et_pb_text shortcode with a visibility check controlled by the cvdb_content_visibility_check parameter. The plugin passes the parameter value into a code evaluation path without sanitization or allow-listing, treating user-supplied input as executable logic. Because WordPress shortcodes are rendered server-side when posts are previewed or viewed, an attacker who can save a post containing the malicious shortcode triggers execution in the PHP context of the web server. Contributor accounts in WordPress can create draft posts and preview them, which is enough to reach the vulnerable code path. Successful exploitation grants the attacker the same privileges as the web server process, enabling webshell deployment, credential theft from wp-config.php, or pivoting to adjacent systems.
Root Cause
The root cause is improper control of code generation [CWE-94] in the visibility check routine. The plugin accepts a string argument from the shortcode attribute and routes it to a dynamic evaluation function rather than comparing it against a fixed set of expected values. Reference the vulnerable code snippet and the fix in changeset 3543621 for the corrected implementation.
Attack Vector
The attack is network-based and requires low-privilege authentication. An attacker logs in as a Contributor, creates or edits a post, and embeds an et_pb_text shortcode whose cvdb_content_visibility_check attribute contains malicious PHP. Rendering the post — through preview, frontend view, or any shortcode-processing endpoint — invokes the vulnerable handler and executes the payload. No user interaction beyond the attacker's own session is required. See the Wordfence vulnerability report for additional context.
Detection Methods for CVE-2026-1829
Indicators of Compromise
- Posts or drafts containing et_pb_text shortcodes with unusual cvdb_content_visibility_check attribute values referencing PHP functions such as system, exec, passthru, eval, or base64_decode.
- New PHP files in wp-content/uploads/, theme directories, or plugin directories created by the web server user shortly after a Contributor login.
- Unexpected outbound network connections from the WordPress host to attacker-controlled infrastructure.
- New or modified administrator accounts and unscheduled changes to wp-config.php or .htaccess.
Detection Strategies
- Audit the wp_posts table for shortcode attributes matching cvdb_content_visibility_check and review their values against an allow-list of expected strings.
- Monitor PHP process trees for child processes spawned by the web server (php-fpm, apache2, nginx) executing shell utilities.
- Inspect WordPress access logs for POST requests to post.php, post-new.php, and admin-ajax.php from Contributor-role accounts followed by frontend GETs to the same posts.
Monitoring Recommendations
- Enable WordPress activity logging to capture post creation, shortcode usage, and role changes by low-privilege accounts.
- Forward web server, PHP error, and WordPress audit logs to a centralized analytics platform such as Singularity Data Lake for correlation across endpoints and identities.
- Alert on file integrity changes within WordPress plugin and theme directories using behavioral identification from Singularity Endpoint.
How to Mitigate CVE-2026-1829
Immediate Actions Required
- Update the Content Visibility for Divi Builder plugin to a version newer than 4.02 that incorporates changeset 3543621.
- Review and rotate credentials for all Contributor, Author, Editor, and Administrator accounts on affected sites.
- Audit all posts and drafts for malicious et_pb_text shortcodes and remove suspicious entries.
- Scan the WordPress filesystem for webshells and unauthorized PHP files created since plugin installation.
Patch Information
The vendor addressed the flaw in the version released as changeset 3543621. Site administrators should apply the update through the WordPress plugin manager or via WP-CLI as soon as possible.
Workarounds
- Deactivate and remove the Content Visibility for Divi Builder plugin until the patched version is deployed.
- Restrict new user registration and disable the Contributor role on production sites that do not require it.
- Deploy a web application firewall rule blocking requests that contain cvdb_content_visibility_check attribute values with PHP function names or backtick characters.
# Update via WP-CLI once the patched release is available
wp plugin update content-visibility-for-divi-builder
# Or deactivate and uninstall as a temporary workaround
wp plugin deactivate content-visibility-for-divi-builder
wp plugin uninstall content-visibility-for-divi-builder
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
