The vulnerability in the Divi Booster WordPress plugin allows an attacker to modify plugin options without authentication because the function responsible for updating settings lacks proper authorization and CSRF protection. The function also uses PHP's unserialize() on user‑supplied data. This combination enables PHP Object Injection, which can be chained with an existing gadget to execute arbitrary code on the server. The result is a high‑impact breach that allows an attacker to compromise the entire WordPress installation, including sensitive data, files, or full system control, as indicated by the CVSS score of 8.1 and the identified weaknesses CWE-502 and CWE-352.

The affected product is the Divi Booster WordPress plugin from an unknown vendor. All installations running a version prior to 5.0.2 are vulnerable. No additional version details are supplied in the CNA data.

The vulnerability is uncovered by an unauthenticated attacker, meaning no credentials are required to exploit it. The CVSS score of 8.1 classifies it as high severity. The EPSS score of less than 1% suggests limited exploitation probability, and it is not listed in the CISA KEV catalog. Nevertheless, because the path to exploitation is straightforward—sending a crafted payload to the vulnerable function and leveraging a gadget chain—security teams should treat it as high risk and act promptly. The plain web interface can be abused directly, making the attack vector remote and user‑friendly.