Security Alert Summary
The Content Visibility for Divi Builder plugin for WordPress contains a remote code execution vulnerability affecting all versions up to and including 4.02. An authenticated attacker with Contributor-level access or higher can abuse the et_pb_text shortcode’s cvdb_content_visibility_check parameter to execute code on the server.
CVE Details
- CVE ID: CVE-2026-1829
- Affected component: Content Visibility for Divi Builder plugin for WordPress
- Affected versions: All versions up to and including 4.02
- Published: June 2, 2026 at 8:16:33 PM UTC
- Last modified: June 2, 2026 at 8:16:33 PM UTC
- CVSS v3.1: Base Score 8.8, Severity HIGH
- Vector string:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - Authentication / Privileges / Interaction:
- Authentication: Required (attacker must be authenticated)
- Privileges required: Low (Contributor-level access and above)
- User interaction: None
- Primary impacts: Confidentiality: High; Integrity: High; Availability: High
- CWE / weakness: CWE-94 (Improper Control of Generation of Code)
Technical Details
The plugin processes the cvdb_content_visibility_check parameter passed to the et_pb_text shortcode in a way that allows remote code execution. According to the vulnerability description, authenticated users with Contributor-level privileges or higher can supply crafted input to that parameter which results in execution of code on the server. CWE-94 indicates this is an unsafe code generation or evaluation weakness in the plugin’s handling of that parameter.
The practical impact is that an attacker who can create or edit content (Contributor or higher) may execute arbitrary server-side code within the context of the web server process, consistent with the CVSS impacts on confidentiality, integrity, and availability. The description names the specific shortcode parameter involved but does not include additional function names or exploit details.
How This Could Impact Your Website
In a multi-user WordPress site this vulnerability could be abused by a malicious contributor, a compromised contractor account, or any user with at least Contributor-level access. Possible realistic consequences include exposure of internal user data (for example, email addresses stored in the database), modification of site content, or disruption of site availability. These outcomes also increase the risk of targeted phishing or social engineering if internal addresses or staff information are accessed.
This vulnerability requires an authenticated account with contributor-level permissions, so review who on your team or among external contributors is permitted to create or edit content. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially Contributor-level accounts.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from the site.
- Monitor site activity and logs for unusual behavior related to content changes or code execution.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/content-visibility-for-divi-builder/tags/4.01/includes/plugin.class.php#L229
- https://plugins.trac.wordpress.org/changeset/3543621/content-visibility-for-divi-builder
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2ea89c44-8ed0-4ab7-a049-4d1b03a898c7?source=cve
