The Content Visibility for Divi Builder plugin for WordPress contains an injection flaw in its 'et_pb_text' shortcode, where the 'cvdb_content_visibility_check' parameter can be abused to run arbitrary code on the server. The flaw is triggered only when the parameter is processed and evaluated, effectively allowing an attacker to inject code. The impact of this vulnerability is complete compromise of the hosting environment, as an attacker could modify files, exfiltrate data, or install persistent backdoors. The weakness is categorized as improper code injection (CWE-94).

The vulnerability affects the jhorowitz package 'Content Visibility for Divi Builder' in WordPress, specifically all releases up to and including version 4.02. Any site running any of those releases is susceptible. Upgrading to a newer release beyond 4.02 resolves the issue. No other WordPress core components or third‑party plugins are listed in the CVE as affected.

The CVSS score of 8.8 labels this flaw as high severity. The EPSS score is not available, making the current likelihood of exploitation uncertain, but the absence of a KEV listing does not diminish the potential threat to systems with Contributor or higher roles. Attackers would need authenticated Contributor-level access, after which they can insert the malicious shortcode into a post or page. Once executed, code runs under the web server’s privileges. The lack of an automated exploitation pathway and the need for authenticated access somewhat lowers the risk relative to unauthenticated vectors, yet the impact warrants urgent attention.