Skip to content
jproxx
← Back to the blog

Security Bulletin for 2 July 2026: Critical Unauthenticated Remote Code Execution in Divi Form Builder, File Deletion in Printcart, File Read in Ninja Forms File Uploads and File Deletion in the Elementor Image Optimizer Plugin

2 July 2026 · jproxx Security

This is our daily security roundup, in which we review the published vulnerabilities and pick out those that genuinely matter for operating WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. 2 July 2026 is an eventful day — we highlight four vulnerabilities that all revolve around unsafe file handling. The first three are exploitable without a login and each already fixed; the fourth affects a plugin common in the Elementor ecosystem, requires at least the Author role and is not yet fixed.

CVE-2026-5524 — Unauthenticated Code Execution in Divi Form Builder (critical)

Divi Form Builder, a forms add-on for the widely used Divi theme, contains a critical vulnerability in all versions up to and including 5.1.8 that can be exploited without a login. The image upload routine (do_image_upload) checks the permitted file types inadequately — the underlying filtering can be bypassed, so an attacker can upload an executable PHP file instead of an image. This turns a plain file upload into full code execution and, in turn, a takeover of the site. The National Vulnerability Database assigns a CVSS score of 9.8, classifies the flaw as critical and assigns it to weakness class CWE-434 (unrestricted upload of file with dangerous type). The vulnerability is fixed in version 5.1.9, to which operators should update without delay; it is also advisable to inspect the upload directory for unexpected files with extensions such as .php, .phtml or .phar.

Sources: National Vulnerability Database — CVE-2026-5524 · Wordfence — Divi Form Builder CVE-2026-5524

CVE-2026-9725 — Unauthenticated File Deletion in Printcart (WooCommerce) (critical)

The Printcart Web to Print Product Designer plugin for WooCommerce, which provides product-designer features for online shops, contains a critical vulnerability in all versions up to and including 2.5.2 that can be exploited without a login and allows arbitrary files to be deleted. Due to inadequate validation of the file path, an attacker can lead the deletion out of the intended directory and remove files elsewhere — for example the central configuration file wp-config.php, whose removal can pave the way to a full takeover of the site. The flaw is classified as critical with a CVSS score of 9.1. It is fixed in version 2.5.3, to which operators should update immediately. (Note: the associated NVD entry was still reserved at the time of writing; the details rely on the Wordfence and WPScan advisories.)

Sources: Wordfence — Printcart CVE-2026-9725 · WPScan — Printcart

CVE-2026-13369 — Unauthenticated File Read in Ninja Forms File Uploads (high)

The File Uploads add-on for the Ninja Forms plugin contains a path traversal vulnerability in all versions up to and including 3.3.29 that can be exploited without a login. When processing email attachments (attach_files), a file path is not adequately constrained, so an attacker can read arbitrary files from the server via crafted path values — including sensitive configuration files. The National Vulnerability Database assigns a CVSS score of 7.5, classifies the flaw as high and assigns it to weakness class CWE-22 (improper limitation of a pathname to a restricted directory). The vulnerability is fixed in version 3.3.30, released the same day, to which operators should update promptly.

Sources: National Vulnerability Database — CVE-2026-13369 · Ninja Forms — File Uploads changelog

CVE-2026-5821 — File Deletion in the Elementor Image Optimizer Plugin (high)

The Image Optimizer – Optimize Images and Convert to WebP or AVIF plugin, which comes from the maker of Elementor and compresses images and converts them into modern formats, contains a vulnerability in all versions up to and including 1.7.4 that allows arbitrary files to be deleted. Via an inadequately validated, attacker-controlled path or metadata value (in the Image_Backup::remove function), a logged-in user with at least the Author role can remove files outside the intended directory — up to central files whose loss can take the site down or enable a further takeover. The National Vulnerability Database assigns a CVSS score of 8.1, classifies the flaw as high and assigns it to weakness class CWE-73 (external control of file name or path). At the time of writing no corrected version is listed; operators should update the plugin to the latest available version and, while no fix is available, deactivate it. Because tools from the Elementor ecosystem are in use across many — especially agency-managed — installations, a targeted inventory is worthwhile here.

Sources: National Vulnerability Database — CVE-2026-5821 · CIRCL — CVE-2026-5821

Not sure whether you’re affected? Get in touch.


This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.