CVE-2026-2626

Divi Booster < 5.0.2 - Unauthenticated PHP Object Injection

The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize() on the data, this could be further exploited when combined with a PHP gadget chain to achieve PHP Object Injection

We have discovered 1,002 live websites that are affected by CVE-2026-2626.

Run a Free Instant Scan

Common Weakness Enumeration

CWE-502 Deserialization of Untrusted Data

Available Reports

Website List

Details

Published - Mar 11, 2026
Updated - Mar 11, 2026

Credits

Saif (Team 51) (finder)
WPScan (coordinator)

CVE References

CWE References

cwe.mitre.org

CWE

CWE-502

Website Distribution by Country

Number of websites using CVE-2026-2626

United States	457 websites

Germany	109 websites
GB	59 websites
Spain	59 websites
France	41 websites
Netherlands	35 websites
Canada	33 websites
Australia	26 websites
Italy	26 websites
South Africa	15 websites

Website Distribution by TLD

Number of websites using CVE-2026-2626

.com	438 websites
.org	136 websites
.de	79 websites
.co.uk	38 websites
.nl	32 websites
.es	26 websites
.ca	23 websites
.com.au	21 websites
.net	15 websites
.it	14 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Websites affected by CVE-2026-2626

Top websites that are affected by CVE-2026-2626. Please click on the "Contact us" link to get more information.

Domain	Country	Rank
********.de	Germany	,*
***************.com	United States	,*
****.org	United States	,*
*****************************.org	United States	*,*
************.se	Sweden	*,*
**********.de	Germany	*,*
**************.org	United States	*,*
*******.com	United States	*,*
*************.com	United States	*,*
*****************..uk	GB	*,*

See full domain list

References

https://wpscan.com/vulnerability/c8f5e821-1788-419f-a00c-cfd4306d0fa5/